Developer docs

try.vin API

A clean, JSON-first HTTP API for vehicle identification. Start with the VIN decoder; more endpoints — recalls, safety ratings, and full history — are rolling out next.

Create an API key Read authentication

Bearer token auth

Every request carries an Authorization header. Tokens are scoped to specific abilities.

Per-token rate limits

Limits are applied per key, so one noisy integration never starves another.

Stable JSON shapes

Versioned under /api/v1. Breaking changes ship under a new prefix.

Authentication

All API requests are authenticated with a personal access token. Create one from the API keys dashboard. Treat tokens like passwords — store them in an environment variable and never commit them.

Send the token as a Bearer credential in the Authorization header.

curl -H "Authorization: Bearer $TRYVIN_API_KEY" \
     -H "Accept: application/json" \
     https://try.vin/api/v1/vin/1HGBH41JXMN109186

In JavaScript

const res = await fetch('https://try.vin/api/v1/vin/1HGBH41JXMN109186', {
  headers: {
    Authorization: `Bearer ${process.env.TRYVIN_API_KEY}`,
    Accept: 'application/json',
  },
});

const { data } = await res.json();

Abilities

Each API key is granted one or more abilities (OAuth-style scopes). Requests to an endpoint require the ability listed in the endpoint reference.

Ability	Grants
`vin:decode`	Decode a 17-character VIN into year, make, model, trim, engine, and plant country.

Endpoints

GET

/api/v1/vin/{vin}

VIN Decoder

Decode a 17-character VIN.

Requires ability vin:decode • 30 req/min per token

Reference

Errors

Errors follow a predictable JSON shape. Status codes carry the semantic meaning; the body gives context.

Status	Meaning
`401`	Missing or invalid API key.
`403`	API key lacks the required ability.
`404`	VIN could not be decoded.
`422`	Malformed VIN (not 17 characters or contains I/O/Q).
`429`	Rate limit exceeded. Retry after a minute.
`502`	Upstream NHTSA decoder temporarily unavailable.