Authentication - Commodity Fundamentals

Overview

Every request to the Commodity Fundamentals API must include a valid API key. You can authenticate using either a Bearer token in the Authorization header or as a query parameter.

The Free tier includes 1,000 API calls per day. Upgrade to Professional for 100,000 calls/day and full historical data.

Getting an API Key

Create an account at commodityfundamentals.com/signup
Navigate to your dashboard
Your API key is displayed on the dashboard home page

Your API key is a 40-character hex string that looks like this:

a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0

Bearer Token (Recommended)

Pass your API key in the Authorization header as a Bearer token. This is the recommended approach as it keeps the key out of URLs and server logs.

curl -X GET "https://commodityfundamentals.com/api/v1/commodities" \
  -H "Authorization: Bearer YOUR_API_KEY"

import requests

response = requests.get(
    "https://commodityfundamentals.com/api/v1/commodities",
    headers={"Authorization": "Bearer YOUR_API_KEY"}
)

data = response.json()

require "net/http"
require "json"

uri = URI("https://commodityfundamentals.com/api/v1/commodities")
req = Net::HTTP::Get.new(uri)
req["Authorization"] = "Bearer YOUR_API_KEY"

res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) { |http|
  http.request(req)
}

data = JSON.parse(res.body)

Query Parameter

Alternatively, pass your API key as the api_key query parameter. This is useful for quick testing but not recommended for production use.

https://commodityfundamentals.com/api/v1/commodities?api_key=YOUR_API_KEY

Query parameter authentication is less secure. API keys in URLs may appear in browser history, server logs, and referrer headers. Use Bearer token authentication in production.

Authentication Errors

The API returns specific error codes for authentication problems:

Status	Error	Cause
401	invalid_api_key	Missing, invalid, or revoked API key
403	historical_limit	Free tier key requesting data older than 12 months
429	rate_limit_exceeded	Too many requests for your plan tier

API Key Security

Follow these practices to keep your API key secure:

Never commit keys to version control. Use environment variables or secrets managers.
Use server-side requests only. Never expose your API key in client-side JavaScript.
Rotate keys periodically. Generate a new key and revoke the old one from your dashboard.
Use separate keys per environment. Keep different keys for development, staging, and production.

# Store your key in an environment variable
export COMMODITY_FUNDAMENTALS_API_KEY="cf_live_a1b2c3d4..."

# Use it in your application
curl -H "Authorization: Bearer $COMMODITY_FUNDAMENTALS_API_KEY" \\
  https://commodityfundamentals.com/api/v1/commodities

Rotating Keys

You can rotate your API key at any time from your dashboard. The process is:

Generate a new API key from your dashboard
Update your applications to use the new key
Verify the new key is working correctly
Revoke the old key

Revoking a key is immediate and irreversible. Any requests using the revoked key will return a 401 error. Make sure all your applications are updated before revoking the old key.