Option 3 — Browser + Client-side API Key
Use this pattern when JavaScript on your public page should call the Data Checks API directly from the visitor’s browser, using a client-side API key from API Keys. The API key is not secret: you lock it to hostnames with allowed domains and you may optionally add a daily request cap.
How it works
- You create a client-side API key in API Keys and list every hostname the browser will use (for example
example.comandwww.example.com). - Your page loads JavaScript that calls
https://api.data-checks.com/v1/emailorhttps://api.data-checks.com/v1/phonewithAuthorization: Bearer <CLIENT_SIDE_API_KEY>and JSON in the body. - The browser sends an
Originheader; Data Checks checks it against your API key allowed domains, applies CORS when it matches and returns JSON response.
The Data Checks API is documented on the API Specs page. This pattern is cross-origin from your public page to the Data Checks API host; CORS is enabled only when the origin is allowed.
What you need
- An active Data Checks account, credits for the service you call, and a client-side API key with every hostname you need under allowed domains and an optional daily request cap.
- HTTPS on the pages that your visitors use and embed the API key (recommended for any form or API traffic).
- JavaScript that can call
fetch(or equivalent) tohttps://api.data-checks.comwith JSON and the Bearer header.
Minimal browser example
Call the Data Checks API directly from the page. Replace the placeholder <CLIENT_SIDE_API_KEY> with your client-side API key; the page must be served from an allowed domain listed on that API key.
async function validateEmail(email) {
const res = await fetch('https://api.data-checks.com/v1/email', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Accept': 'application/json',
'Authorization': 'Bearer <CLIENT_SIDE_API_KEY>',
},
body: JSON.stringify({ email }),
});
const data = await res.json().catch(() => ({}));
if (!res.ok) throw new Error(data.message || data.error || ('HTTP ' + res.status));
return data;
}
For phone validation replace email with phone on this code. The integration is a few lines of JavaScript on the public page plus API Keys configuration.
Security checklist
- Treat the client-side API key as public: anyone who can load your page may extract it. Allowed domains limit which sites may receive CORS and pass origin checks, but determined clients can still replay the key within rate and credit limits.
- Never use a server-side API key for this type of integration.
- Validate and bound input length (email and phone strings should match the limits in the API Specs).
- Debounce or throttle UI triggers so a single visitor cannot burn credits or hit daily caps instantly.
- Consider hiding
remaining_creditsfrom end users if you expose raw API responses in the browser.
CORS
Browser calls to https://api.data-checks.com are cross-origin. Data Checks adds Access-Control-Allow-Origin (and related headers) for POST and OPTIONS on /v1/email and /v1/phone when the request Origin host matches an active client-side API key’s allowlist. If the origin does not match, the browser will not read the response body.
Rate limits
Per minute: the Data Checks API is rate-limited at 60 requests per minute. When exceeded, the API returns 429 with {"error":"rate_limit_exceeded"}.
Per day (client-side API keys): POST /v1/email and POST /v1/phone count toward your client-side API key’s daily cap. When exceeded, the API returns 429 with {"error":"daily_limit_exceeded"}.
See the API Specs for details. Map each error to a friendly message and backoff.
Troubleshooting
- 4xx API errors — see the PDF references on the API Specs page.
- CORS errors — confirm the page hostname is listed on the client-side API key and that you are calling
https://api.data-checks.comover HTTPS.
Support boundaries
Data Checks supports the behaviour of the public API and your account settings. Your front-end code, caching, and abuse controls run on your side. If a request reaches our API with a valid client key and fails with our documented status codes, use this guide and the API Specs; if the problem persists, contact support with timestamps and the HTTP status, without full personally identifiable information (PII).