Authentication

API key authentication

The Galen API uses API keys passed via the X-API-Key header. All requests except /health require a valid key.

Include the header in every request:

Getting your API key

1. Sign up for a free account — no credit card required
2. Open your Dashboard and click “Generate New Key”
3. Keys use the gk_live_ prefix for easy identification
4. Copy your key immediately — it is only shown once

Code examples

Authenticate by passing your API key in the X-API-Key header:

import requests

API_KEY = "gk_live_your_key_here"
BASE = "https://research.usegalen.com/api/v1"

response = requests.get(
    f"{BASE}/entities/EGFR",
    headers={"X-API-Key": API_KEY}
)
print(response.json())

Key management

Manage your API keys from the Dashboard.

• Rotate keys — generate a new key and revoke the old one with zero downtime
• Revoke compromised keys — takes effect immediately; all in-flight requests with the old key will fail
• Per-key usage tracking — each key tracks its own request count and rate limit usage

Rate limits by tier

Rate limits are enforced per API key. Exceeding the limit returns a 429 response with a Retry-After header.

See Pricing for a full comparison of tiers, endpoint access, and support levels.

Security best practices

• Never commit keys to version control — add .env to your .gitignore
• Use environment variables — load keys from GALEN_API_KEY at runtime, not hardcoded strings
• Rotate periodically — generate a fresh key every 90 days as a matter of hygiene
• Use the minimum tier needed — start with Explorer and upgrade only when your usage requires it