Authentication

All Sleeved API requests are authenticated with an API key. There are no public unauthenticated endpoints.

Getting an API Key

API keys are handed out on a case-by-case basis. Send an email to engineering@endlessgalaxy.dev with your project and use case to request an API key.

Key Format

Keys follow the format:

slvd_live_<hex>

where <hex> is a long hexadecimal string. Keep your key confidential — treat it like a password.

Making Authenticated Requests

Pass your key in the X-API-Key request header on every request:

curl https://api.sleeved.gg/api/v1/games \
  -H "X-API-Key: slvd_live_your_key_here"

There is no bearer token scheme, no OAuth flow, and no session cookie. Every request must carry the header independently.

Authentication Errors

If the key is missing, the API returns:

{
  "error": "API key required"
}

If the key is invalid or has been revoked, the API returns:

{
  "error": "Invalid API key"
}

Invalid and revoked keys return the same error message — this is intentional. Distinguishing between these cases would leak information about which keys exist.

If you receive a 401 and your key was previously working, contact the team at engineering@endlessgalaxy.dev to check whether your key has been rotated.

Security Recommendations

• Store your API key in an environment variable, not in source code
• Never expose your key in client-side JavaScript — all API calls should be made server-side
• Rotate your key if you suspect it has been compromised