Skip to main content
TheRundown API supports three methods of authentication. Choose the method that best fits your application architecture.

Authentication Methods

Query Parameter

The simplest approach is to pass your API key as a query parameter. Append key to any request URL. 
https://api.therundown.io/v2/events?key=YOUR_API_KEY
Query parameter authentication is convenient for testing but may expose your key in server logs and browser history. Prefer header-based authentication in production.

Request Header

Pass your API key in the X-TheRundown-Key request header. This is the recommended method for server-side applications. 
X-TheRundown-Key: YOUR_API_KEY

Bearer Token (OAuth2)

For applications using OAuth2 flows, pass a bearer token in the Authorization header. 
Authorization: Bearer YOUR_TOKEN

Code Examples

curl "https://api.therundown.io/v2/sports/2/events?key=YOUR_API_KEY"

Public Endpoints

The following endpoints do not require authentication and can be called without an API key:
EndpointDescription
GET /api/v2/sportsReturns the list of available sports and their IDs.
GET /api/v2/affiliatesReturns the list of available sportsbook affiliates.
These endpoints are useful for bootstrapping your application with reference data before making authenticated requests.

Security Best Practices

API keys embedded in frontend JavaScript, mobile app bundles, or public repositories can be extracted by anyone. Always route API calls through your own backend server.
Store your API key in an environment variable rather than hardcoding it in source files. This prevents accidental commits to version control and makes key rotation straightforward.
# .env file (never commit this)
THERUNDOWN_API_KEY=your_key_here
Python
import os
api_key = os.environ["THERUNDOWN_API_KEY"]
Node.js
const apiKey = process.env.THERUNDOWN_API_KEY;
If you suspect your API key has been exposed, contact TheRundown support immediately to rotate your key. Update all services that reference the old key as part of the rotation.
Maintain distinct API keys for development, staging, and production. This limits the blast radius if a non-production key is leaked and makes it easier to track usage per environment.