How to fix authentication (401) errors
Resolve ER0201, ER0202 and ER0230 when the API rejects your key
Written by Erick Horn
June 27, 2026
How to fix authentication (401) errors
A 401 response means the APITube News API could not authenticate your request. There are three distinct causes, each with its own error code: ER0201 (no key was sent), ER0202 (the key is invalid or was revoked), and ER0230 (the key has expired). The fix depends on which code you get, so read the error field in the JSON response first.
curl "https://api.apitube.io/v1/news/everything?api_key=YOUR_API_KEY"
Every endpoint requires a key except /ping, /openapi.json and /robots.txt. You can pass the key either as an X-API-Key request header or as an api_key query parameter — both work, so pick whichever suits your client.
How to fix ER0201 — API key is required
ER0201 means no key reached the server at all. The message is “API key is required. Provide it via X-API-Key header or api_key query parameter.” This usually happens when the header name is misspelled, the api_key query parameter is empty, or a proxy stripped the header. Send the key one of these two ways:
# As a header
curl -H "X-API-Key: YOUR_API_KEY" "https://api.apitube.io/v1/news/everything"
# As a query parameter
curl "https://api.apitube.io/v1/news/everything?api_key=YOUR_API_KEY"
The header name is case-insensitive, so X-API-Key and x-api-key are equivalent. Make sure the value is not blank — an empty api_key= still counts as missing and returns ER0201.
How to fix ER0202 — invalid API key
ER0202 means a key was sent, but it does not match an active key on your account. Two situations produce it: the key string is wrong (a typo, a truncated copy-paste, or extra whitespace), or the key was revoked in the dashboard. A revoked key is treated by the API as if it no longer exists, so the fix is to use a different active key or create a new one. To resolve ER0202:
- Copy the key again from the dashboard, with no leading or trailing spaces.
- Confirm you are using the right environment: live keys start with
api_live_and test keys start withapi_test_. - If the key was revoked, generate a fresh key and update your application.
How to fix ER0230 — API key has expired
ER0230 means the key itself is valid but has passed its expiry date. Keys can be created with an expires_at date for time-boxed access, and once that moment passes every request returns 401 with ER0230. The fix is to either remove or extend the expiry on that key in the dashboard, or issue a new key without an expiry. There is no way to revive an expired key on the fly — the date is enforced on every request.
Is a 403 the same as a 401?
No. A 401 is always an authentication problem (no key, wrong key, expired key). A 403 is an authorization problem: the key is recognized but not allowed for this request. The News API returns ER0601 when your IP address is not on the key’s allow-list, ER0602 when the request’s domain is not allowed, and ER0603 when the key’s scopes do not include the endpoint you called. If you see a 403, the key works — the restriction on it does not match where or how you are calling from.
Common Questions
Why does my key work in one request but fail in another?
Check that both requests target the same environment and send the key the same way. A common cause is a test key (api_test_…) used where a live key (api_live_…) is expected, or a header that one client sends and another drops. Authentication is identical across endpoints, so a key that authenticates on /v1/news/everything will authenticate everywhere — if one call fails with 401, the key or its transport differs between the two calls.
Is a 401 the same as running out of credits?
No. A 401 is about the key being missing, invalid or expired. Running out of requests is a separate 402 response, not a 401. If your key authenticates but you are blocked by quota, check your remaining balance instead — see how to check your balance via the API. For request throttling, which returns 429, see how to handle rate-limit errors.
Should I put my API key in the URL or a header?
Both are supported, but the X-API-Key header is safer for production because query strings are more likely to be logged by proxies and servers. Use the api_key query parameter for quick tests and the header for anything that runs against live data.