Skip to main content

Elsevier Developer Portal

API Authentication

The Elsevier APIs support various authentication methods. For all methods, your application passes in an "APIKey" with each request.

You register for an APIKey here.

Technical Specifications for the apis are here.

API Authentication methods for customers

Each APIKey provides access to a limited amount of content by default, as documented here.

Automatic IP address based authentication for institutional subscribers of Scopus/ScienceDirect

First, register for an API Key here. You hard-code this API Key into your application.

You either submit the APIKey within a request URL parameter:[apikey] 

Or use this http header with each request:

X-ELS-APIKey: [apikey]

Our systems automatically associate your request with your customer account and return content according to that account's entitlements.
Sometimes we associate multiple IP addresses with different accounts in our account management system. In these situations your code needs to capture and maintain a security device we call an "authtoken"

Authtoken authentication

After obtaining an authtoken from the Authentication API, the client submits the authtoken with each API request.

The following diagram and step-by-step explanation explains this logic in more detail.

Elsevier API Authentication Flow

The steps:

Insttoken Authentication

If automatic IP authentication or use of the Authentication API do not meet your requirements, please contact us through our Elsevier Research Product APIs Support Center.

An insttoken is an additional security token submitted in tandem with your APIKey.
Insttokens are only available to customers or partners working on behalf of a customer. If Elsevier grants you an insttoken, there are restrictions to follow:

  1. The insttoken must be kept secure server-side in a password protected environment.
  2. The insttoken represents full access to a customer account within our authentication and entitlements system
  3. All requests using insttoken must come over https

You submit insttokens in header: X-ELS-Insttoken