ZipCodeAPI users get two API keys – the Application Key and the Client Key.
The application key is meant to be used on your own private server. As such, it doesn’t need to have a URL whitelist.
The client key is intended to be used in JavaScript. Because anyone can view the JavaScript, it needs extra protection, so we have the whitelist.
If you get the error “Client key could not be validated”, that means we saw that you used the client key, which means we need to validate that it’s a valid domain and send the CORS headers back to the browser. However, since it’s not sent from the browser, it doesn’t contain the request headers required to do that check.
Thanks to Matthew Day of Digital Crafts for the question.
You can try a free ZipCodeAPI demo and see for yourself.
