Authentication

The Spotium API uses bearer tokens. Every request must include an Authorization header.

Format

httphttp
Authorization: Bearer sk_live_abc123...

Where to get a key

API keys are created in the Spotium dashboard under Settings → API Keys. Each key has an optional expiration date and can be revoked at any time. Keys are hashed at rest — Spotium never stores the raw value after creation.

Test vs live

  • sk_test_... — free calls against a fixture dataset. Ideal for the inline try-it panel on each endpoint page.
  • sk_live_... — real data, real credits.

Errors

Missing or invalid keys return HTTP 401:

jsonjson
{
  "error": "invalid or revoked api key",
  "request_id": "b7f7c5f4-..."
}

Best practices

  • Never ship a live key in client-side code. Proxy calls through your backend.
  • Rotate keys quarterly, and immediately if you suspect leakage.
  • Scope one key per environment (dev, staging, production).