Authentication
Cito API uses API keys to authenticate requests. Keep your keys secure and never expose them in client-side code.
API Key Types
Live Keys
cito_live_...Account API keys that access Cito API data. Use these in your deployed applications.
Demo Key
pk_demo_...Read-only public demo key for quick testing before signup.
Using Your API Key
Include your API key in the x-api-key header of every request:
curl -X GET "https://api.citoapi.com/api/v1/cod/matches/live" \
-H "x-api-key: cito_live_your_key_here" \
-H "Content-Type: application/json"Or using direct HTTP in your backend:
// JavaScript / Node
const response = await fetch("https://api.citoapi.com/api/v1/cod/matches/live", {
headers: { "x-api-key": process.env.CITO_API_KEY }
});
// Python
response = requests.get(
"https://api.citoapi.com/api/v1/cod/matches/live",
headers={"x-api-key": os.environ["CITO_API_KEY"]}
)Security Best Practices
Never expose keys in client-side code
API keys should only be used server-side. Never include them in JavaScript that runs in the browser.
Use environment variables
Store keys in environment variables, not in source code.
export CITO_API_KEY="cito_live_your_key_here"Rotate keys regularly
Generate new keys periodically and revoke old ones from the dashboard.
If your key is compromised
Immediately revoke it from your dashboard and generate a new one. Contact support if you notice unauthorized usage.
Authentication Errors
| Code | Error | Description |
|---|---|---|
401 | Unauthorized | Missing or invalid API key |
403 | Forbidden | API key doesn't have access to this resource |
429 | Rate Limited | Too many requests, see rate limits |
{
"error": {
"type": "authentication_error",
"message": "Invalid API key provided",
"code": "invalid_api_key"
}
}