The YGO API uses Bearer token authentication. All API requests must include a valid API token in the Authorization header.How API Tokens Work#
Project-specific - Tied to a single Project (Sandbox or Production)
Environment-routing - Automatically directs requests to the correct environment
Long-lived - Tokens don't expire unless you revoke them
Scoped to your data - Only access bookings and data within that Project
Simplified Environment ManagementThe YGO API uses intelligent token-based routing. Each API token is connected to either a Sandbox or Production Project, and automatically routes your requests to the appropriate environment—all through the same base URL (https://api.ygo.ai/v1). No need to manage different endpoints.
Keep your API tokens secure! Treat them like passwords:Never commit them to version control
Don't expose them in client-side code
Store them securely (environment variables, secret managers)
Rotate tokens if you suspect they've been compromised
Getting Your First API Token#
During Onboarding#
When you first partner with YGO, we'll:1.
Create your Organization and first Sandbox Project
2.
Generate your first API token
After Contract Signing#
Once your contract is finalized, you'll gain access to the YGO Console UI, where you can:Generate new tokens for additional Projects
Revoke compromised tokens
Switch between Sandbox and Production tokens
Console UI Access: Your account manager will send you login credentials for the YGO Console once your contract is signed.
Making Authenticated Requests#
Include your API token in the Authorization header with every request using the Bearer scheme:The API automatically routes your request to the correct environment (Sandbox or Production) based on the Project your API token is connected to.Headers required for all requests:| Header | Value | Required |
|---|
Authorization | Bearer your_api_token | Yes |
Content-Type | application/json | Yes (for POST/PUT requests) |
Testing Your API Token#
To verify your API token is working, try this simple request:Successful response (200 OK):{
"Data": {
"OrgID": "org_xyz789",
"ProjectID": "proj_abc123",
"ProjectName": "My Sandbox Project",
"Environment": "sandbox"
},
"Error": null
}
Authentication Errors#
Invalid or Missing Token#
{
"Data": null,
"Error": "Invalid or missing authorization token"
}
Authorization header not included
Missing "Bearer " prefix in Authorization header
Token has been revoked or expired
Managing API Tokens#
In the YGO Console#
Once you have Console access, you can:1.
View all tokens - See which tokens belong to which Projects
2.
Generate new tokens - Create additional tokens for the same Project (useful for different services)
3.
Revoke tokens - Immediately invalidate compromised tokens
4.
Monitor usage - Track API calls per token (coming soon)
Best Practices#
DO:Use separate API tokens for different environments (Sandbox vs Production)
Store tokens in environment variables or secret managers
Rotate tokens periodically (every 6-12 months)
Revoke tokens immediately if compromised
DON'T:Hard-code tokens in your application
Commit tokens to Git repositories
Share tokens between team members (generate separate tokens instead)
Use Production tokens for testing
Rate Limits#
API tokens are subject to rate limits to ensure fair usage:Sandbox: 100 requests per minute
Production: 1000 requests per minute (or custom limits per contract)
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1640000000
If you hit rate limits regularly, contact your account manager to discuss increasing your limits.
Next Steps#
Now that you're authenticated, try the Quickstart Guide to make your first search request. 