Personal APIs
Paste your own provider tokens to unlock auto-fill features. CardboardChasr proxies the call with your key on the server — the raw token never ships to your browser.
How it works
- 1. You paste a token in Settings → Personal APIs.
- 2. We store it in your profile’s
preferencesJSONB column, RLS-scoped so only you + the server role can read it. - 3. When CardboardChasr needs PSA data (cert lookup on a slab add / in-grading outcome), our server action reads the token, calls the provider, returns the parsed data.
- 4. Your client bundle only sees
{ connected: true, last_four: "1234" }. Never the raw token.
PSA
PSA Public API
100 calls/day free · OAuth 2.0 bearer · cert lookup only
- Go to psacard.com/publicapi and sign in with your PSA credentials.
- Generate an access token. The token is long — typically 200+ characters.
- Paste it into Settings → Personal APIs → PSA and hit Save.
- Unlocks the “+ Slab” quick-add flow and the PSA button on In-Grading outcome rows.
Rate limit is 100 calls/day per user. If you hit it, try again tomorrow or email PSA for a paid tier (no published pricing).
Coming soon
- eBay Browse API — app-level auth (no per-user token needed). Will power
current_valueauto-refresh for the entire binder. - BGS / SGC / CGC— no public APIs exist. We’ll add manual “deep link to cert page” buttons instead.
- CardLadder— enterprise-only API, no self-serve access. We’ll match their search terminology where we can.
Security notes
- Tokens are protected by Row-Level Security — only your signed-in session and the service role can read them.
- Tokens are never logged. If you see a token value in an error message or an issue report, that’s a bug — please tell us.
- When you paste a replacement token, the old one is overwritten. No history is kept.
- When you hit Remove, the provider key is deleted from your preferences immediately.