Authentication
Some Scryfall API methods require authentication. If a method does, it will document its authentication type on its page. Methods that don’t document an authentication type are public and can be called anonymously.
Scryfall uses HTTP Authorization: Bearer
headers for authentication.
The word Bearer
must be followed by exactly one space (U+0020
)
and then the required secret key for the current method.
The different authentication modes are:
Mode | Required Secret | Description |
---|---|---|
(none) |
Public methods require no |
|
Application |
|
The method is performed as your application |
OAuth Grant |
|
The method is performed with the rights of the grant account |
For example, if you are submitting a request to a method that
requires Application authorization, you must submit an
HTTP header like Authorization: Bearer X
where X
is your client_secret
token, including the cs-
prefix.