Bearer token
Include your API key in theAuthorization header:
Key format
Borough API keys use the formatBOROUGH_<uuid>, for example:
Free-tier access
Search endpoints (/v1/search/rentals, /v1/search/sales) and the areas endpoint (/v1/areas) work without authentication. Unauthenticated requests are subject to:
- 10 requests/minute rate limit (IP-based)
- 100 requests/month quota
- Maximum 10 results per page
Key validation
Keys are validated against the Polar.sh API and cached for 10 minutes. If your key is revoked or expires, cached access will stop within 10 minutes.Error responses
| Code | Status | Description |
|---|---|---|
MISSING_API_KEY | 401 | No Authorization header provided on a protected endpoint |
INVALID_API_KEY | 401 | Key doesn’t match any active subscription |
EXPIRED_API_KEY | 401 | Subscription has ended |
TIER_RESTRICTED | 403 | Endpoint requires a higher tier |
Security best practices
- Store keys in environment variables, never in client-side code
- Rotate keys by creating a new subscription if compromised
- Use the minimum tier needed for your use case