The website session is for account management. Protected API requests use API keys. In practice, that means browser login and programmatic credentials are related, but not the same thing.
Auth model
- Public endpoints can be called without credentials
- Protected endpoints require
X-API-Key - API keys are created, copied, and revoked from the profile area
When website login matters
You need a website account to manage credentials, but your scripts and services still need to attach an explicit API key when they call protected data endpoints.
Passing the API key
GET
/api/v1/markets/{market}Get one market
getMarket
Requires API key
The common pattern is simple: pass the key in the X-API-Key header.
curlbash
curl "https://heliumlabz.com/api/v1/markets/CN" \
-H "X-API-Key: $ASHARE_API_KEY"JavaScript fetchts
const response = await fetch("https://heliumlabz.com/api/v1/markets/CN", {
headers: {
"X-API-Key": process.env.ASHARE_API_KEY ?? "",
},
});Account and key management
- Sign in from the top-right account entry
- Open
Profile - Go to the
API Keystab - Create a new key and copy the plaintext immediately
- Store it in a password manager or environment variable
Do not expose keys in public clients
API keys are for controlled environments such as servers, scripts, CLIs, or private automation. Do not ship them in public browser-side bundles.