x-api-key header, except the unauthenticated infrastructure endpoints (/health, /ready, /status, /metrics).
How to authenticate
Pass your API key in thex-api-key request header:
API key metadata
Each API key resolves to a client and its access rules:| Field | Description |
|---|---|
clientName | Your client identifier — all accounts, orders, and bets are filtered by it |
bookmakers | Allowed bookmaker slugs (empty = all bookmakers) |
rps | Requests per second allowed for this client (default: 100) |
active | Whether this key is active |
clientName.
WebSocket authentication
For WebSocket connections, authenticate via the login message after connecting (the/ws endpoint itself does not require the x-api-key header):
Rate limiting
Requests are rate-limited per client — by default 100 requests per second, with a maximum of 5 concurrent WebSocket connections per API key. Full detail, headers, and backoff guidance live in Rate limits.Error responses
The auth middleware emits errors under an
error key, while application-level errors (validation, not-found, etc.) use the FastAPI-standard detail key. Handle both shapes.| Situation | Status | Body |
|---|---|---|
| Header missing | 403 | {"detail": "Missing API key header: x-api-key"} |
| Key invalid / inactive / expired | 401 | {"error": "Invalid or inactive API key"} |
| Key valid but not allowed for the endpoint / sport / bookmaker | 403 | {"error": "Access denied to endpoint"} |
| Rate limit exceeded | 429 | {"detail": "Rate limit exceeded", "limit": "100", "retry_after": 1} |
Next steps
Quickstart
Place your first bet in 5 steps.
Limits & Reliability
Per-client rate limits, circuit breakers, and emergency mode.