Authentication
The Spotium API uses bearer tokens. Every request must include an Authorization header.
Format
httphttp
Authorization: Bearer sk_live_abc123...Where to get a key
API keys are created in the Spotium dashboard under Settings → API Keys. Each key has an optional expiration date and can be revoked at any time. Keys are hashed at rest — Spotium never stores the raw value after creation.
Test vs live
sk_test_...— free calls against a fixture dataset. Ideal for the inline try-it panel on each endpoint page.sk_live_...— real data, real credits.
Errors
Missing or invalid keys return HTTP 401:
jsonjson
{
"error": "invalid or revoked api key",
"request_id": "b7f7c5f4-..."
}Best practices
- Never ship a live key in client-side code. Proxy calls through your backend.
- Rotate keys quarterly, and immediately if you suspect leakage.
- Scope one key per environment (dev, staging, production).