SEC EDGAR API key: how to get one in 2026 (step by step)
There is no SEC EDGAR API key. You can search for one all day. It will not turn up, because it was never made.
I know that is not the answer you came for. It is the one that saves you the most time.
The SEC EDGAR API needs no API key. The official endpoints on data.sec.gov ask only for a User-Agent header with your name and email, and they cap you at 10 requests per second. For a real key with clean, normalized financials, you sign up for a wrapper like Edgrapi, copy an edgr_ key, and send it as a Bearer token. Free tier, no card.
Is there a SEC EDGAR API key?
No. The SEC EDGAR API does not use API keys at all. The data.sec.gov endpoints are open to anyone who sends a valid User-Agent header and respects the rate limit, per the SEC's EDGAR API documentation. There is nothing to sign up for and nothing to paste into your code.
This throws people, because almost every other API hands you a key on day one.
The SEC went the other way. Instead of keys, it asks you to say who you are in the request header, so it can email you if your traffic misbehaves. For reading data, that header is the whole login.
How do you authenticate with the SEC EDGAR API?
You send a User-Agent header that names you and gives a contact email. The SEC's fair-access rules ask for a string like "Acme Analytics you@acme.com" on every request to data.sec.gov, and that header is the only credential the API checks beyond the 10 requests-per-second limit, per the SEC's access guidance.
Here it is in Python:
import requests
r = requests.get(
"https://data.sec.gov/api/xbrl/companyfacts/CIK0000320193.json",
headers={"User-Agent": "Acme Analytics you@acme.com"},
)
data = r.json()
No Authorization header. No api_key. Drop the User-Agent and the SEC answers with a 403, then starts ignoring your IP.
The reward for getting it right is raw XBRL keyed by CIK, not by ticker. Which is the exact moment a lot of people decide the free route is not free enough and go looking for a managed key.
What about the SEC filer API token?
That is a different thing entirely. The SEC does issue filer and user API tokens, but those are for submitting filings as a registered EDGAR filer, not for reading company data, per the SEC's filer token guide. If your goal is to pull financials, you never touch them.
The naming collision is the whole problem.
Type "SEC API key" into Google and you get the filer-token pages and the read-only data APIs in the same breath. For everything in this guide, you want the keyless data side, or a third-party key that wraps it.
How do you get a free Edgrapi API key, step by step?
You sign up with an email, copy your edgr_ key, and send it as a Bearer token. Edgrapi's free tier is 100 requests with no credit card, and the key works across every endpoint. The whole thing takes under two minutes, with no company details and no card.
The four steps:
- Go to edgrapi.com and enter your email.
- Copy the key from your dashboard. It looks like
edgr_live_...and is shown once. - Send it as
Authorization: Bearer edgr_your_key. - Call
/v1/fundamentals/AAPLand read the JSON.
Why bother with a wrapper key when the SEC API is free? Because the SEC gives you raw XBRL and Edgrapi gives you clean fields. Revenue is just revenue for any of 10,400+ companies, and the same key also reaches ratios, filings, sections, and the MCP server.
How do the SEC API auth styles compare?
There are three styles, depending on which API you call. The raw SEC API uses a User-Agent header and no key. sec-api.io uses a bare key in the Authorization header with no "Bearer" prefix. Edgrapi uses a standard Bearer edgr_ token. Each returns different data for different effort.
| How you authenticate | Key needed | What you get | |
|---|---|---|---|
| Raw SEC API | User-Agent header | No | Raw XBRL by CIK |
| sec-api.io | Authorization: <key> | Yes (no Bearer) | Filing-centric JSON |
| Edgrapi | Authorization: Bearer edgr_ | Yes | Normalized financials |
sec-api.io documents that you pass the key directly in the Authorization header, without a Bearer prefix, per its docs and pricing. Edgrapi follows the standard Bearer convention, so existing HTTP clients and SDKs work unchanged.
How do you make your first authenticated call?
You send a GET to the fundamentals endpoint with your Bearer key. A valid key returns a 200 with normalized revenue, net income, and the rest of the statements; a missing or wrong key returns 401. That round trip is the fastest way to confirm your key works.
import requests
r = requests.get(
"https://api.edgrapi.com/v1/fundamentals/AAPL",
headers={"Authorization": "Bearer edgr_your_key"},
)
print(r.status_code) # 200
print(r.json()["revenue"]) # 391035000000
401? The header is missing or the key has a typo. 200? You are done. Go build something.
How do you keep your API key safe?
Keep the edgr_ key on a server, never in the browser. Store it in an environment variable, call Edgrapi from your backend, and proxy the results to the client. If a key ever lands in a commit, a log, or a screenshot, rotate it. Treat it like a password, because it is one.
Two rules cover most mistakes.
First, never put the key in front-end JavaScript, where anyone can read it. Second, keep it out of git by loading it from an environment variable instead of a hardcoded string.
Start: make your first call
If you only need raw filings and you are fine parsing XBRL, the SEC API is free and a User-Agent header is all you need. Set it and start pulling.
If you want clean financials without the parsing, grab a free Edgrapi key, send it as a Bearer token, and call /v1/fundamentals with a ticker you care about. A hundred free requests is enough to ship a prototype before you ever think about paying.
Frequently asked questions
Do I need an API key for the SEC EDGAR API?
No. The SEC EDGAR API on data.sec.gov needs no API key and no signup. You authenticate by sending a User-Agent header with your app name and a contact email, and you stay under 10 requests per second. If you want a managed key with normalized financials, a wrapper like Edgrapi issues one free, 100 requests with no credit card.
What is the SEC EDGAR User-Agent header?
The User-Agent header is how the SEC EDGAR API identifies who is calling. The SEC asks for your name or company and a contact email, formatted like 'Acme Analytics you@acme.com', so it can reach you instead of blocking your IP. It is the only credential the official data.sec.gov endpoints require, alongside the 10 requests-per-second limit.
Is there a free SEC API key?
The SEC's own API is free and needs no key at all. For a managed key, third-party wrappers offer free tiers: Edgrapi gives 100 requests with no credit card, and the key looks like edgr_ and goes in a Bearer header. That free tier covers every endpoint, so you can test fundamentals, ratios, filings, and the MCP server before paying anything.
How do I authenticate with the SEC API?
For the raw SEC API, set a User-Agent header with your name and email on every request to data.sec.gov; there is no token. For Edgrapi's normalized API, send your key as Authorization: Bearer edgr_your_key. A missing or malformed key returns 401, and a valid one returns the company's financials as clean JSON.
What is the difference between a SEC filer API token and a data API key?
They are unrelated. SEC filer and user API tokens are for submitting filings through EDGAR as a registered filer, not for reading data. The data.sec.gov APIs that return company financials need no token at all, only a User-Agent header. Most developers asking about a 'SEC API key' actually want read access, which is keyless.
How do I get an Edgrapi API key?
Sign up with your email at edgrapi.com, copy the edgr_ key from your dashboard, and send it as Authorization: Bearer edgr_your_key on each request to api.edgrapi.com. The free tier is 100 requests with no credit card, enough to pull normalized financials for any of 10,400+ US public companies and test the MCP server.