From discovery to live try-it, to your project

Three steps to your first call

1. Open the API directory, filter by scenario or CORS, and find a "Free to use" entry.
2. Open the detail page, read the "Overview" tab, copy the cURL or sample code, and confirm requests go to the provider's base URL.
3. Once the call works locally or on a server, wire the endpoint into your project and use it long-term for free.

Take the catalog's 0x API as an example: business requests go to api.0x.org, not boyapi.com:

curl -G 'https://api.0x.org/swap/allowance-holder/price' \
    -H '0x-version: v2' \
    --data-urlencode 'chainId=1' \
    --data-urlencode 'sellToken=0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2' \
    --data-urlencode 'buyToken=0x6b175474e89094c44da98b954eedeac495271d0f' \
    --data-urlencode 'sellAmount=1000000000000000000'

All entries are cataloged — we do not proxy them

boyapi is a directory of public free APIs. It does not proxy business traffic and does not run an in-house product. Every entry is provided by a third-party public source; please use each one under the source's own free terms.

• Capability provider: third-party public APIs (government open data, open-source projects, community-maintained).
• Free capability: subject to the source's free terms — quotas, rate limits, commercial use all follow the source's docs.
• Where requests go: business requests hit the source's base_url directly (see the detail page and Agent notes for full_url_example). Do not send them to boyapi.com.

Read the "Fit check" on the detail page before turning a PoC into production.

Follow the detail page

Each API has its own auth style. The list below covers the common ones; for the exact headers and parameters, follow the detail page's "Overview" tab.

• No auth: just build the URL or body as documented; mind the source's quotas and CORS.
• AppKey / API Key: via query, header, or a provider console; never expose keys in frontends or public repos.
• AK/SK signing: build the request per the source's signing algorithm and timestamp rules.
• OAuth: obtain a token via the source's flow, then call with the token.

Send requests to the provider, not to boyapi.com

• Request URL: business requests go to the third-party base_url (see the detail page and Agent notes for full_url_example). boyapi only provides discovery and docs — it does not proxy business traffic.
• Protocol: usually REST/JSON; some APIs are GraphQL or follow custom formats. The "Protocol" field on the detail page tells you which.
• Sample code: the detail page includes cURL, JavaScript, and Python samples — copy and adjust parameters.

Browser calls & production deploys

• The detail page flags CORS (Yes / No / Unknown). If the source does not allow browser cross-origin calls, route through a server-side proxy — and never put keys in the frontend.
• For agents and automation: read the detail page's #boyapi-agent-spec and send requests to the provider's domain, not boyapi.com.
• Production tips: pin an outbound IP if the source requires it; set sane timeouts and retries; capture request IDs to reconcile with the source.

Common issues & the order to check them

1. Confirm the request URL points to the right provider (do not accidentally hit boyapi.com).
2. Check auth: is the key valid? Is the header name exactly as documented? Is the signature expired?
3. Read the HTTP status and response body: 401/403 = auth; 429 = rate limit; 4xx = params; 5xx = source or network issue.
4. CORS error in the browser: switch to a server-side call, or check the CORS flag on the detail page.
5. Free quota exhausted or commercial restrictions: read the source's terms.

The error-code table and FAQ on the detail page's "Overview" tab cover the specifics of each entry.

Start with these

These entries cover different categories so you can quickly feel the directory-filter and detail-page flow.