Authentication
API keys, scopes, and secure usage.
Authentication
This page explains how authentication works with the Fixtures API and how to use API keys safely.
API keys
You need an API key to authenticate requests. Keys are created in the Fixtures Dashboard under Developers → API keys.
Secret key
- Format:
fix_sk_...(live) orfix_sk_test_...(test). - Full access to your account. Use only on the server.
- Never commit to version control or expose in client-side code.
Publishable key
- Format:
fix_pk_.... - Limited to non-destructive, public operations where supported.
- Safe to use in client-side code (e.g. browsers, mobile apps).
Using the key in requests
Set the key when creating the client:
const client = new FixturesClient({
apiKey: process.env.FIXTURES_API_KEY,
});
Or pass it per request if your SDK supports it:
const events = await client.events.list({
apiKey: process.env.FIXTURES_API_KEY,
});
Scopes (optional)
If your account supports scoped keys, you can restrict a key to specific resources or actions. Configure scopes in the dashboard when creating the key.
Best practices
- Use environment variables – Store keys in
FIXTURES_API_KEYor a secrets manager. - Separate test and live – Use test keys for development; switch to live keys only in production.
- Rotate keys – Create new keys periodically and revoke old ones.
- Restrict by IP – If available, restrict keys to your server IPs.
Next steps
- API overview – Base URL and request format
- Reference: Environment variables – All env vars