/public/* require a valid API key. WXA VPN Intelligence
uses a two-path auth model — the gateway validates the customer key and the
backend trusts what the gateway forwards.
API key format
Customer API keys follow the pattern:How to authenticate
Option A — Authorization header (recommended)
vpn-proxy-detection.whoisxmlapi.com) validates the key, then forwards the
request to the backend with two internal headers:
X-Internal-Key— shared secret that proves the request came from a trusted gateway (not a direct backend bypass)X-Tier— the customer’s plan tier (free|starter|pro|scale|business|enterprise)
X-Internal-Key + X-Tier from the gateway.
Option B — NAF query-param path
When the NAF endpoint is configured (NAF_ENDPOINT + NAF_API_ID=92), the
BFF accepts the key as a query parameter:
validate_call to gate on subscription/credits, then
log_successfull_call.php to deduct credits (N = IP count on /ip/batch).
The feature tier comes from the backend’s own api_keys mapping. When
NAF_ENDPOINT is not set, the ?apiKey= parameter is inert and Option A is
the only valid auth.
Tiers and rate limits
Rate limits are enforced per key. See tiers for the full feature matrix.| Tier | Monthly quota | Rate limit |
|---|---|---|
| Free | 10,000 | 2 req/min |
| Starter | 1,000,000 | 30 req/min |
| Pro | 10,000,000 | 100 req/min |
| Scale | 50,000,000 | 250 req/min |
| Business | Unlimited | 500 req/min |
| Enterprise | Unlimited | 10,000 req/min |
HTTP 429 with a Retry-After header
indicating seconds until the next window. See
error handling.
Rotation
Rotate keys at least every 90 days, or immediately if you suspect leakage:- Generate a new key in the dashboard
- Deploy the new key to your applications
- Revoke the old key once traffic has migrated (30-second propagation)
Multiple environments
Generate one key per environment (prod, staging, ci) and tag them in
the dashboard so usage analytics break down cleanly. Keys are not
environment-locked at the API layer; the tagging is for your own audit.
What not to do
- Don’t commit keys to source control. Use environment variables, a
secrets manager, or
.envfiles added to.gitignore. - Don’t share keys across teams. Generate one key per team or service.
- Don’t bypass per-key rate limits by issuing many keys. Distributed request patterns intended to evade quotas violate the Acceptable Use Policy.
Public no-auth endpoints
A subset of endpoints under/public/* is available without an API key,
with aggressive per-IP rate limits and a restricted response shape. These
exist for evaluation and self-checks — not production traffic.