An API key is a code players can generate in their account settings that can allow third-party apps to access certain account data via use of the API.
API keys are created at https://account.arena.net/applications. During the creation of the key, the player will need to give it a name and a set of permissions. The name is purely for the player's reference, though any third-party app the key is given to will be able to view the name.
The permissions of the API key designate what data a third party app would be able to access, if given this key. Permissions are not able to be changed after the key is created.
- This permission is mandatory for all keys. It allows access to your account name and ID, home world, joined guilds, and date of account creation.
- Allows access to your currently equipped specializations, traits, skills, and equipment for all game modes.
- Allows access to information on your characters, including name, level, race, gender, class, age, creation date, and death count.
- Allows access to guild-related information such as rosters, history, and MOTDs for all guilds you are a member of.
- Allows access to your account vault, Material Storage, and character inventories and equipment.
- Allows access to your achievements, dungeon unlocks, masteries, hungry cat scavenger hunt, and PvE progress.
- Allows access to your PvP stats, match history, reward track progression, and custom arena details.
- Allows access to your Trading Post transactions. This includes your current (pending) transactions, and up to 90 days of your past transactions.
- Allows access to a list of skins and dyes you have unlocked.
- Allows access to view your account wallet.
Deleting an API key takes effect immediately, and the API key will no longer work for any third party apps.
Authenticated endpoints can accept the API key in two ways.
- In a POST request, use the Authorization header field:
Authorization: Bearer [api key]. Note: preflight requests are not supported by the API backend.
- In a GET request, use the access_token query parameter:
?access_token=[api key]. This method circumvents the preflight requests of the CORS standard.