Authentication

sportapi uses Bearer token authentication. Every request must include your API key in the Authorization header.

Getting your API key

Request a key through the contact form. Trial keys are provisioned within one business day; production keys after we've aligned on plan and contract.

Keys have a recognizable prefix so you can spot them at a glance:

• sk_test_… — trial / sandbox
• sk_live_… — production
• rk_… — restricted (scoped to specific sports or scopes)

Using your API key

Include it in every request as a Bearer token:

Authorization: Bearer sk_live_xxxxxxxxxxxx

With curl:

curl "https://api.sportapi.io/v1/nba/scores/live" \
  -H "Authorization: Bearer $SPORTAPI_KEY"

Key types

Restricted keys

Use restricted keys whenever a key needs to leave a server you fully control — e.g. embedded in a mobile app, exposed via a public widget, or shared with a contractor. Restrictions are enforced server-side and cannot be bypassed by the client.

Common restriction dimensions:

• Sports allowed (e.g. NBA only)
• Endpoint categories (e.g. scores only, no odds)
• IP allowlist
• Origin allowlist (for browser usage)
• Rate-limit override (lower ceiling than your main key)

Key rotation

You can rotate any key from the dashboard. Rotated keys remain valid for a configurable grace period (default 24 hours) so you can update your deploys before the old key dies. Set the grace to zero if you suspect a key has leaked.

Security best practices

• Never expose keys in client-side bundles or commit them to source control
• Store keys in environment variables or a secret manager (Vault, AWS Secrets Manager, Doppler)
• Use sk_test_ keys in development and CI; only use sk_live_ in production
• Use restricted keys (rk_) for any client-side or third-party scenario
• Rotate keys when employees leave or you change vendors
• Monitor your usage — sudden spikes in requests are often the first sign of a leak