No signup, no keys, no OAuth
Unlike most APIs, you don't need to:
- Create an account
- Generate an API key
- Send a
Authorizationheader - Sign requests with HMAC
- Refresh OAuth tokens
- Pay for a plan
You just send your HTTP request to https://cleverutils.com/api/v1/* and it works.
How abuse is prevented then?
We track usage by IP address. Each IP gets a generous daily quota and a small per-request cooldown to prevent floods. See rate limits for the full details.
If a single IP makes too many requests, it's temporarily throttled (HTTP 429). Repeated abuse leads to a 24-hour ban (HTTP 403).
Is my IP stored?
Yes — but only as a salted SHA-256 hash, never plaintext. We use it for two things:
- Rate limiting — the hash is the key for our per-IP counter files in
/tmp/cleverutils-api-ratelimit/. These files are auto-deleted after 25 hours. - Logging — the first 16 characters of the hash are written to our request logs (in
/tmp/cleverutils-api-logs/) for debugging and abuse detection. Logs are rotated after 30 days.
We never store plaintext IPs. We never log request bodies. We never share data with third parties.
Sessions and cookies
For historical reasons, the API may set a PHPSESSID cookie on responses. You can ignore it. The API does not depend on sessions or cookies for authentication or rate limiting — it's purely IP-based.
Most HTTP clients (cURL without -c, Python requests without Session, Go http.DefaultClient) don't persist cookies anyway. You can safely ignore the header.
What about CORS?
The API responds with Access-Control-Allow-Origin: * on every endpoint, so you can call it directly from a browser-based JavaScript app on any domain. Preflight (OPTIONS) requests are handled automatically.
Future: optional API keys
We may introduce optional API keys later for users who need higher quotas or want per-key analytics. When that happens:
- The free anonymous tier will remain free and key-free.
- Keys will be sent via the
X-API-Keyrequest header (notAuthorization: Bearer). - This page will be updated with full instructions.
Until then: just make HTTP requests and you're authenticated.