Get started

Authentication

Every private endpoint requires an API key. Pick one header per request — Bearer is recommended.

Authentication headers

Recommended

Authorization: Bearer <API_KEY>

Alternative

X-Api-Key: <API_KEY>

Bearer header

curl "https://api.betspread.io/api/v1/sports" \
  -H "Authorization: Bearer $BETSPREAD_API_KEY"

X-Api-Key header

curl "https://api.betspread.io/api/v1/sports" \
  -H "X-Api-Key: $BETSPREAD_API_KEY"

Where to get the key

Keys are created in the dashboard under API keys. The full secret is shown once at creation; store it in a secret manager and reference it through an environment variable.

Key rotation

Rotate keys from the same dashboard view. We recommend creating the new key, deploying it to your environment, then revoking the old key to avoid downtime. Revoked keys return 401 invalid_api_key on the next request.

Failure modes

Missing keys return 401 missing_api_key, rejected keys return 401 invalid_api_key, missing entitlements return 403 forbidden, and a live request without a Live plan returns 403 live_not_enabled. See Errors for the full contract.