Docs Authentication
Get API Key
Required

Authentication

All API requests require authentication via an API key. Learn how to obtain, use, and secure your API key below.

How It Works

1

Sign up & get your key

Create a free account on the developer dashboard. Your unique API key is generated instantly and available in your account settings.

2

Include it in every request

Pass your API key in the X-API-Key HTTP header with every request you make to the API.

3

Start fetching data

Once authenticated, you can access all endpoints — sports, matches, odds, results, and live events.

The X-API-Key Header

Every request must include your API key as a custom HTTP header. The key must be sent exactly as shown — no prefix like "Bearer" or "Key".

auth-example.js 
const API_KEY = 'xbet_sk_a1b2c3d4e5f6g7h8i9j0';

const response = await fetch('https://api.xbetapi.com/v2/sports', {
  method: 'GET',
  headers: {
    'X-API-Key': API_KEY
  }
});

if (response.status === 401) {
  console.error('Invalid API key');
}

const data = await response.json();
Copied to clipboard

Correct vs Incorrect Usage

Correct 
X-API-Key: xbet_sk_a1b2c3d4...

Plain key, no prefix, no extra whitespace.

Incorrect 
// ✗ Don't use "Bearer"
Authorization: Bearer xbet_sk_...

// ✗ Don't add "Key:" prefix
X-API-Key: Key: xbet_sk_...

// ✗ Don't pass as query param
?api_key=xbet_sk_...

These will all return 401.

Where to Find Your API Key

Developer Dashboard

After signing up, navigate to Settings → API Keys in your dashboard. You'll see your active key(s) along with usage stats.

View Key Regenerate Usage Stats

Authentication Error Responses

When authentication fails, the API returns a structured JSON error. Handle these gracefully in your code.

401 Unauthorized — Missing or invalid API key 
{
  "success": false,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Missing or invalid X-API-Key header.",
    "status": 401
  }
}
403 Forbidden — Key valid but plan lacks access 
{
  "success": false,
  "error": {
    "code": "FORBIDDEN",
    "message": "Your current plan does not include access to this endpoint. Upgrade to continue.",
    "status": 403
  }
}
429 Rate Limited — Too many requests 
{
  "success": false,
  "error": {
    "code": "RATE_LIMITED",
    "message": "Rate limit exceeded. Retry after 12 seconds.",
    "status": 429,
    "retry_after": 12
  }
}

Security Best Practices

Never expose your key in client-side code

Do not embed your API key in frontend JavaScript, HTML, or mobile app binaries. Always proxy requests through your backend server.

Use environment variables

Store your API key in .env files or your hosting platform's secret manager. Never commit it to version control.

Rotate keys regularly

If you suspect your key has been compromised, regenerate it immediately from the dashboard. Old keys are invalidated instantly.

Use HTTPS only

All API requests must be made over HTTPS. HTTP requests will be rejected with a 403 response to prevent key interception.

Use separate keys per environment

Generate separate API keys for development, staging, and production. This limits blast radius if a dev key leaks.

Environment Variables Example

Recommended way to store and access your API key in different environments:

.env
# .env file (add to .gitignore!)
XBET_API_KEY=xbet_sk_a1b2c3d4e5f6g7h8i9j0
XBET_BASE_URL=https://api.xbetapi.com/v2

API Key Format

All API keys follow this format. The prefix identifies the key type:

xbet_sk_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
xbet_sk_ Standard key (secret)
xbet_pk_ Public key (read-only)

Plan-Based Endpoint Access

Endpoint Group
Free
Pro
Business
Enterprise
Sports & Leagues
Pre-match Odds
Live Odds & Markets
Match Results
In-Play Events
Next: Rate Limits