Authentication
Server-to-server only
Section titled “Server-to-server only”Developer keys are designed for backend services only.
- Do not use keys in browser code.
- Do not expose keys in client bundles.
- Do not embed keys in mobile app binaries.
Header format
Section titled “Header format”Send your key in the Authorization header:
Authorization: Bearer YOUR_API_KEYX-API-Key may also be accepted for compatibility, but Authorization: Bearer is recommended.
Access restrictions
Section titled “Access restrictions”- Developer API keys are valid only for the six documented Minecraft data endpoints.
- Any non-listed endpoint returns
403. - Only
GETis allowed for key-based requests.
API key rate limits
Section titled “API key rate limits”- Developer keys use a dedicated rate-limit bucket.
- Current limit:
60 requests per 60 secondsper API key. - This bucket is separate from session-authenticated dashboard traffic.
Key lifecycle
Section titled “Key lifecycle”- One active key per user account.
- Revoke and rotate keys from your profile.
- Rotating immediately invalidates your previous key.
Example request
Section titled “Example request”curl -X GET "https://slowstack.tv/api/v1/players?limit=20" \ -H "Authorization: Bearer YOUR_API_KEY"Security recommendations
Section titled “Security recommendations”- Keep keys in a secret manager.
- Rotate immediately if leaked.
- Never commit keys to Git.
- Restrict egress from your backend infrastructure when possible.