> ## Documentation Index
> Fetch the complete documentation index at: https://docs.therundown.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Learn how to authenticate your requests to TheRundown API using API keys.

TheRundown API supports two methods of authentication. Choose the method that best fits your application architecture.

## Authentication Methods

### Query Parameter

The simplest approach is to pass your API key as a query parameter. Append `key` to any request URL.

```
https://therundown.io/api/v2/events?key=YOUR_API_KEY
```

<Warning>
  Query parameter authentication is convenient for testing but may expose your key in server logs and browser history. Prefer header-based authentication in production.
</Warning>

### Request Header

Pass your API key in the `X-TheRundown-Key` request header. This is the recommended method for server-side applications.

```
X-TheRundown-Key: YOUR_API_KEY
```

## Code Examples

<CodeGroup>
  ```bash curl (Query Parameter) theme={null}
  curl "https://therundown.io/api/v2/sports/2/events/2026-02-12?key=YOUR_API_KEY"
  ```

  ```bash curl (Header) theme={null}
  curl -H "X-TheRundown-Key: YOUR_API_KEY" \
    "https://therundown.io/api/v2/sports/2/events/2026-02-12"
  ```

  ```python Python theme={null}
  import requests

  API_KEY = "YOUR_API_KEY"
  BASE_URL = "https://therundown.io/api/v2"

  # Using header authentication (recommended)
  headers = {
      "X-TheRundown-Key": API_KEY
  }

  response = requests.get(f"{BASE_URL}/sports/2/events/2026-02-12", headers=headers)
  data = response.json()

  print(data)
  ```

  ```javascript JavaScript theme={null}
  const API_KEY = "YOUR_API_KEY";
  const BASE_URL = "https://therundown.io/api/v2";

  // Using header authentication (recommended)
  const response = await fetch(`${BASE_URL}/sports/2/events/2026-02-12`, {
    headers: {
      "X-TheRundown-Key": API_KEY,
    },
  });

  const data = await response.json();
  console.log(data);
  ```
</CodeGroup>

## Public Endpoints

The following endpoints do **not** require authentication and can be called without an API key:

| Endpoint                 | Description                                          |
| ------------------------ | ---------------------------------------------------- |
| `GET /api/v2/sports`     | Returns the list of available sports and their IDs.  |
| `GET /api/v2/affiliates` | Returns the list of available sportsbook affiliates. |

These endpoints are useful for bootstrapping your application with reference data before making authenticated requests.

## Security Best Practices

<AccordionGroup>
  <Accordion title="Never expose keys in client-side code">
    API keys embedded in frontend JavaScript, mobile app bundles, or public repositories can be extracted by anyone. Always route API calls through your own backend server.
  </Accordion>

  <Accordion title="Use environment variables">
    Store your API key in an environment variable rather than hardcoding it in source files. This prevents accidental commits to version control and makes key rotation straightforward.

    ```bash theme={null}
    # .env file (never commit this)
    THERUNDOWN_API_KEY=your_key_here
    ```

    ```python Python theme={null}
    import os
    api_key = os.environ["THERUNDOWN_API_KEY"]
    ```

    ```javascript Node.js theme={null}
    const apiKey = process.env.THERUNDOWN_API_KEY;
    ```
  </Accordion>

  <Accordion title="Rotate keys if compromised">
    If you suspect your API key has been exposed, contact TheRundown support immediately to rotate your key. Update all services that reference the old key as part of the rotation.
  </Accordion>

  <Accordion title="Use separate keys per environment">
    Maintain distinct API keys for development, staging, and production. This limits the blast radius if a non-production key is leaked and makes it easier to track usage per environment.
  </Accordion>
</AccordionGroup>
