Authentication
Some Scryfall API methods require authentication. If a method does, it will document its authentication type on its page. Methods that don’t document an authentication type are public and can be called anonymously.
Scryfall uses HTTP Authorization: Bearer headers for authentication.
The word Bearer must be followed by exactly one space (U+0020)
and then the required secret key for the current method.
The different authentication modes are:
| Mode | Required Secret | Description |
|---|---|---|
(none) |
Public methods require no |
|
Application |
|
The method is performed as your application |
OAuth Grant |
|
The method is performed with the rights of the grant account |
For example, if you are submitting a request to a method that
requires Application authorization, you must submit an
HTTP header like Authorization: Bearer X
where X is your client_secret token, including the cs- prefix.