Some Scryfall API methods require authentication. If a method does, it will document its authentication type on its page. Methods that don’t document an authentication type are public and can be called anonymously.

Scryfall uses HTTP Authorization: Bearer headers for authentication. The word Bearer must be followed by exactly one space (U+0020) and then the required secret key for the current method.

The different authentication modes are:

Mode Required Secret Description


Public methods require no Authorization header



The method is performed as your application

OAuth Grant


The method is performed with the rights of the grant account

For example, if you are submitting a request to a method that requires Application authorization, you must submit an HTTP header like Authorization: Bearer X where X is your client_secret token, including the cs- prefix.