Skip to main content
The MedDRA Explorer API uses simple API keys for authentication. Every request must include a valid key issued from the MedDRA dashboard; requests without a key (or with an invalid key) are rejected before hitting the service.

Getting an API key

  • Visit meddra.co/login and sign in with your account.
  • Navigate to Settings → API Access to create, rotate, or revoke keys.
  • Each key is tied to your organisation and inherits your plan’s quota and feature entitlements.
  • You can generate multiple keys—for example, one for production and one for staging.
Store the key in an environment manager such as .env, AWS Secrets Manager, or HashiCorp Vault. Never commit keys to source control or ship them in client-side code.

Sending authenticated requests

Include the key with the X-API-Key header on every request: 
curl https://api.meddra.co/codes?q=anaphylaxis \
  -H "X-API-Key: sk_live_XXXXXXXXXXXXXXXXXXXX"

Node.js (fetch)

await fetch('https://api.meddra.co/classify', {
	method: 'POST',
	headers: {
		'Content-Type': 'application/json',
		'X-API-Key': process.env.MEDDRA_API_KEY!,
	},
	body: JSON.stringify({ description }),
})

Python (requests)

import os
import requests

response = requests.get(
    "https://api.meddra.co/codes",
    params={"q": "dizziness"},
    headers={"X-API-Key": os.environ["MEDDRA_API_KEY"]},
)
response.raise_for_status()

Key rotation & revocation

  • Rotate regularly: issue new keys on a schedule and deprecate old ones to reduce exposure.
  • Revoke compromised keys immediately from the dashboard; revoked keys start returning 401 Unauthorized.
  • Audit usage: the dashboard shows per-key request volume to help identify unexpected traffic.

Error responses

StatusReasonFix
401Missing, malformed, or revoked API key.Ensure the X-API-Key header is present and the key is still live.
403Account disabled or feature not available.Contact support to restore access or upgrade your plan.
All other errors (validation, rate limiting, server issues) still include the request ID so you can contact support.

Security best practices

  • Scope keys per environment and least-privileged service.
  • Inject keys at deploy time (CI/CD or secrets manager) instead of embedding them in code.
  • Avoid sharing the same key across contractors or temporary integrations—issue separate keys so you can revoke them individually.
Once you have authentication wired up, continue with API Version to understand version pinning or review API Error Handling for troubleshooting guidance.