Authentication

Secure your API requests with API keys

On this page

Authentication

All Blitz Rocket API v1 endpoints require authentication via an API key. API keys are scoped to a team and can be managed from your team settings page.

Creating an API Key

  1. Log in to your Blitz Rocket dashboard
  2. Navigate to SettingsAPI Keys
  3. Click Create API Key
  4. Choose a key type (Public or Private)
  5. Copy your key — it will only be shown once

Key Types

Public Key

Public keys provide read-only access and are safe to use in client-side code. They can access:

  • GET /api/v1/contests — List contests
  • GET /api/v1/contests/:contestId — Get contest details
  • GET /api/v1/contests/:contestId/leaderboard — Get leaderboard
  • GET /api/v1/contests/:contestId/entries — List entries
  • GET /api/v1/contests/:contestId/analytics — Get analytics
  • GET /api/v1/entries/:entryId — Get entry details
  • GET /api/v1/entries/:entryId/bonus-actions — Get bonus actions
  • POST /api/v1/entries/:entryId/bonus-actions/:bonusActionId/complete — Complete bonus action

Private Key

Private keys provide full read/write access to all endpoints. Keep these secret and only use them in server-side code. In addition to all public key endpoints, private keys can access:

  • POST /api/v1/contests/:contestId/entries — Create entries
  • PUT /api/v1/entries/:entryId — Update entries
  • POST /api/v1/entries/:entryId/disqualify — Disqualify entries
  • POST /api/v1/entries/:entryId/points — Adjust points
  • POST /api/v1/contests/:contestId/purchases — Record purchases

Sending Your API Key

You can authenticate requests using either a header or query parameter:

curl -X GET https://blitzrocket.com/api/v1/contests \
  -H "x-api-key: vk_live_abc123def456"

curl -X GET "https://blitzrocket.com/api/v1/contests?apiKey=vk_live_abc123def456"

Authentication Errors

If your API key is missing or invalid, you'll receive a 401 Unauthorized response:

{
  "success": false,
  "error": "Missing or invalid API key"
}

If you use a public key on a private-only endpoint, you'll receive a 403 Forbidden response:

{
  "success": false,
  "error": "This endpoint requires a private API key"
}

Security Best Practices

  • Never expose private keys in client-side code, public repositories, or browser requests
  • Rotate keys regularly — delete and recreate keys periodically
  • Use public keys for any client-side or browser-based integrations
  • Use private keys only in secure server-side environments
  • Store keys in environment variables, never hardcode them