Skip to main content
All public API requests use the same production base URL: 
https://api.visor.vin/v1
Send API keys in the Authorization header: 
export VISOR_API_KEY="vis_live_..."

curl "https://api.visor.vin/v1/listings?limit=1&make=toyota" \
  -H "Authorization: Bearer $VISOR_API_KEY"
Do not put API keys in query strings, prompts, shared config files, screenshots, shell history, or URLs. Query-string keys such as ?api_key=..., ?apiKey=..., ?key=..., and ?access_token=... are rejected.

Keys and accounts

API keys belong to an API account, not to one endpoint. All keys on the same account share that account’s billing balance, monthly spend cap, and Usage Tier rate limits. Create and revoke keys from the Visor dashboard credentials area. The secret is shown once, so store it in a password manager or secret manager before leaving the page. For local development, use an environment variable: 
export VISOR_API_KEY="vis_live_..."
For server-side production code, store the key in your deployment platform’s secret manager and inject it as an environment variable. Avoid committing .env files.

Scopes

Keys can be scoped. Give a key only the scopes it needs:
ScopeAllows
inventory.readListing search, listing detail, facets, and VIN lookup
dealers.readDealer search, dealer detail, and dealer inventory
usage.readAccount usage summaries from /v1/usage
If a key is valid but missing a scope, the API returns 403 permission_error with code: "missing_scope".

Check a key

If the key has usage.read, /v1/usage is a good connectivity check because it is not billable: 
curl "https://api.visor.vin/v1/usage" \
  -H "Authorization: Bearer $VISOR_API_KEY"
If the key only has inventory or dealer scopes, run a deliberately small request: 
curl "https://api.visor.vin/v1/listings?limit=1&fields=id,vin" \
  -H "Authorization: Bearer $VISOR_API_KEY"

Common authentication failures

StatusCodeMeaning
400query_string_api_key_rejectedA key-like query parameter was sent. Move the key to the Authorization header.
401missing_api_keyNo bearer token was provided.
401invalid_api_keyThe token is malformed, revoked, or unknown.
402billing_state_blockedThe API account cannot make paid requests in its current billing state.
402monthly_spend_cap_exceededThe request would exceed the account’s monthly spend cap.
403missing_scopeThe key is valid but does not include the scope required by the endpoint.

Agents and OAuth

For Claude, ChatGPT, Codex, Claude Code, OpenCode, and other MCP clients, the hosted MCP server can use OAuth so you do not copy an API key into the client: 
https://mcp.visor.vin/mcp
See Connect to your AI agent for app-specific setup.