# Authentication

# Authentication

Sports Stack API uses Bearer token authentication. Include your API key in the `Authorization` header for all requests.

## Getting Your API Key

1. Log in to your Sports Stack account
2. Navigate to **Settings → API Keys**
3. Click **"Generate New API Key"**
4. Copy the key immediately (it won't be shown again)

## Using Your API Key

Include your API key in the `Authorization` header:

```bash
curl -X GET "https://api.sportsstack.io/api/v1/teams" \
  -H "Authorization: Bearer YOUR_API_KEY"
```

```python
import requests

headers = {
    "Authorization": "Bearer YOUR_API_KEY"
}

response = requests.get(
    "https://api.sportsstack.io/api/v1/teams",
    headers=headers
)
```

```javascript
const fetch = require('node-fetch');

const response = await fetch(
  'https://api.sportsstack.io/api/v1/teams',
  {
    headers: {
      'Authorization': 'Bearer YOUR_API_KEY'
    }
  }
);
```

## Security Best Practices

### 1. Keep Your API Key Secret

* **Never** commit API keys to version control
* **Never** share API keys in public forums or chat
* **Never** expose API keys in client-side code

### 2. Use Environment Variables

```bash
# Set environment variable
export SPORTS_STACK_API_KEY="your-api-key-here"

# Use in code
curl -X GET "https://api.sportsstack.io/api/v1/teams" \
  -H "Authorization: Bearer $SPORTS_STACK_API_KEY"
```

```python
import os
import requests

api_key = os.environ.get('SPORTS_STACK_API_KEY')

headers = {
    "Authorization": f"Bearer {api_key}"
}
```

### 3. Rotate Keys Regularly

* Generate new API keys periodically
* Revoke old keys that are no longer needed
* Monitor API key usage in your dashboard

### 4. Use Different Keys for Different Environments

* Use separate API keys for development, staging, and production
* Rotate keys when team members leave
* Monitor key usage for suspicious activity

## Error Responses

### 401 Unauthorized

```json
{
  "error": "Unauthorized",
  "message": "Invalid or missing API key"
}
```

**Causes**:

* Missing `Authorization` header
* Invalid API key
* Expired API key

**Solution**: Check your API key and ensure it's correctly formatted in the header.

### 403 Forbidden

```json
{
  "error": "Forbidden",
  "message": "Insufficient permissions"
}
```

**Causes**:

* API key doesn't have required permissions
* Tenant access restrictions

**Solution**: Check your API key permissions in the dashboard.

## Rate Limits

API keys are subject to rate limits. See [Rate Limits](./rate-limits.md) for details.

## Related Documentation

* [Quickstart](./quickstart.md) - Get started quickly
* [Rate Limits](./rate-limits.md) - Rate limiting policies
* [API Reference](../api-reference/) - Complete API documentation