Authentication
Cito API uses API keys to authenticate requests. Keep your keys secure and never expose them in client-side code.
API Key Types
Live Keys
sk_live_...Production keys that access real data. Use these in your deployed applications.
Test Keys
sk_test_...Sandbox keys with mock data. Use these during development and testing.
Using Your API Key
Include your API key in the Authorization header of every request:
curl -X GET "https://api.citoapi.com/v1/fortnite/matches/live" \
-H "Authorization: Bearer sk_live_your_key_here" \
-H "Content-Type: application/json"Or using our SDKs:
// JavaScript
import { CitoAPI } from '@citoapi/sdk';
const cito = new CitoAPI('sk_live_your_key');
# Python
from citoapi import CitoAPI
cito = CitoAPI('sk_live_your_key')Security Best Practices
Never expose keys in client-side code
API keys should only be used server-side. Never include them in JavaScript that runs in the browser.
Use environment variables
Store keys in environment variables, not in source code.
export CITO_API_KEY="sk_live_your_key_here"Rotate keys regularly
Generate new keys periodically and revoke old ones from the dashboard.
If your key is compromised
Immediately revoke it from your dashboard and generate a new one. Contact support if you notice unauthorized usage.
Authentication Errors
| Code | Error | Description |
|---|---|---|
401 | Unauthorized | Missing or invalid API key |
403 | Forbidden | API key doesn't have access to this resource |
429 | Rate Limited | Too many requests, see rate limits |
{
"error": {
"type": "authentication_error",
"message": "Invalid API key provided",
"code": "invalid_api_key"
}
}