API Documentation·v1.0

Crime data, by the call.

The SpotCrime API powers real estate platforms, executive protection teams, family safety apps, and enterprise security operations across 22,000+ U.S. cities. This page documents the current API and the v1 surface coming next.

Download PDFGet an API Key

Base URLs

Current (stable)
https://api.spotcrime.com
v1 (planned)
https://api.spotcrime.com/v1

Authentication

All requests authenticate with a per-customer API key.

Query string (current API)
GET /crimes.json?lat=39.41&lon=-76.60&radius=0.5&key=YOUR_KEY
Authorization header (v1, planned)
Authorization: Bearer YOUR_KEY
Security note

The query-string form is the only auth method on the current API and is supported for backward compatibility. Because query strings can appear in proxy and webserver logs, treat any key sent that way as equivalent to a credential in transit: rotate on suspicion of exposure, never embed in client-side code, and prefer egress IP allowlisting (Pro / Enterprise). The v1 surface introduces the standard Authorization: Bearer header as the recommended method.

  • API keys are issued per customer/environment. Treat them as secrets.
  • Request a key at https://spotcrime.io/request-access.
  • Egress IP allowlists are available on Pro and Enterprise plans for an additional security layer.

Conventions

Transport
HTTPS, JSON request/response bodies, UTF-8.
Rate limits
Rate limits are per-key and depend on plan. Developer: 60 req/min. Pro: 600 req/min. Enterprise: custom. 429 responses include a Retry-After header.
Pagination
Endpoints that may return many results page via cursor (`next_cursor` in the response, `cursor` query param on the next request). Hard cap of 50 results per call on the current `/crimes.json` endpoint.
Errors
Errors return a JSON body: { errors: [string, ...] }. HTTP status codes follow REST conventions (400 invalid input, 401 invalid key, 404 unknown route, 429 rate-limited, 5xx server error).