← Integration Guides

Option 3 — Browser + Client-side API Key

Use this pattern when JavaScript on your public page should call the Data Checks API directly from the visitor’s browser, using a client-side API key from API Keys. The API key is not secret: you lock it to hostnames with allowed domains and you may optionally add a daily request cap.

How it works

  1. You create a client-side API key in API Keys and list every hostname the browser will use (for example example.com and www.example.com).
  2. Your page loads JavaScript that calls https://api.data-checks.com/v1/email or https://api.data-checks.com/v1/phone with Authorization: Bearer <CLIENT_SIDE_API_KEY> and JSON in the body.
  3. The browser sends an Origin header; Data Checks checks it against your API key allowed domains, applies CORS when it matches and returns JSON response.

The Data Checks API is documented on the API Specs page. This pattern is cross-origin from your public page to the Data Checks API host; CORS is enabled only when the origin is allowed.

What you need

Minimal browser example

Call the Data Checks API directly from the page. Replace the placeholder <CLIENT_SIDE_API_KEY> with your client-side API key; the page must be served from an allowed domain listed on that API key.

async function validateEmail(email) {
  const res = await fetch('https://api.data-checks.com/v1/email', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      'Accept': 'application/json',
      'Authorization': 'Bearer <CLIENT_SIDE_API_KEY>',
    },
    body: JSON.stringify({ email }),
  });
  const data = await res.json().catch(() => ({}));
  if (!res.ok) throw new Error(data.message || data.error || ('HTTP ' + res.status));
  return data;
}

For phone validation replace email with phone on this code. The integration is a few lines of JavaScript on the public page plus API Keys configuration.

Security checklist

CORS

Browser calls to https://api.data-checks.com are cross-origin. Data Checks adds Access-Control-Allow-Origin (and related headers) for POST and OPTIONS on /v1/email and /v1/phone when the request Origin host matches an active client-side API key’s allowlist. If the origin does not match, the browser will not read the response body.

Rate limits

Per minute: the Data Checks API is rate-limited at 60 requests per minute. When exceeded, the API returns 429 with {"error":"rate_limit_exceeded"}.

Per day (client-side API keys): POST /v1/email and POST /v1/phone count toward your client-side API key’s daily cap. When exceeded, the API returns 429 with {"error":"daily_limit_exceeded"}.

See the API Specs for details. Map each error to a friendly message and backoff.

Troubleshooting

Support boundaries

Data Checks supports the behaviour of the public API and your account settings. Your front-end code, caching, and abuse controls run on your side. If a request reaches our API with a valid client key and fails with our documented status codes, use this guide and the API Specs; if the problem persists, contact support with timestamps and the HTTP status, without full personally identifiable information (PII).