Authentication

Some Scryfall API methods require authentication. If a method does,
it will document its authentication type on its page.
Methods that don’t document an authentication type are public
and can be called anonymously.

Scryfall uses HTTP Authorization: Bearer headers for authentication.
The word Bearer must be followed by exactly one space (U+0020)
and then the required secret key for the current method.

The different authentication modes are:

Mode Required Secret Description

(none)

Public methods require no Authorization header

Application

client_secret

The method is performed as your application

OAuth Grant

grant_secret

The method is performed with the rights of the grant account

For example, if you are submitting a request to a method that
requires Application authorization, you must submit an
HTTP header like Authorization: Bearer X
where X is your client_secret token, including the cs- prefix.