Authentication

Learn how to authenticate your API requests using API keys.

API Keys

The NBA 2K Ratings API uses API keys to authenticate requests. All requests must include a valid API key in the X-API-Key header.

Get Your API Key

Including your API key

Add your API key to the X-API-Key header in every request:

const response = await fetch(
  'https://api.nba2kapi.com/api/players',
  {
    headers: {
      'X-API-Key': 'your_api_key_here'
    }
  }
);

Best Practices

Store API keys in environment variables

Never hardcode API keys in your source code. Use environment variables instead.

.env

# .env
NBA2K_API_KEY=your_api_key_here

# JavaScript
const apiKey = process.env.NBA2K_API_KEY;

# Python
import os
api_key = os.getenv('NBA2K_API_KEY')

Add .env to .gitignore

Prevent committing your API keys to version control.

.gitignore

# .gitignore
.env
.env.local
.env.*.local

Never expose API keys in client-side code

API calls should be made from your backend/server, not directly from the browser. Exposing keys in client-side JavaScript makes them publicly accessible.

Regenerate compromised keys immediately

If you accidentally expose your API key, regenerate it immediately in your dashboard.

Error Responses

If authentication fails, you'll receive a 401 Unauthorized response:

// Missing API key
{
  "success": false,
  "error": {
    "message": "API key is required",
    "code": "MISSING_API_KEY"
  }
}

// Invalid API key
{
  "success": false,
  "error": {
    "message": "Invalid API key",
    "code": "INVALID_API_KEY"
  }
}

Need help?

If you're having trouble with authentication, check out the error handling guide or view your dashboard to verify your API key is active.