Authentication
All requests to /api/v1/* require a Bearer token in the Authorization header. Tokens are issued by us manually and remain valid until they expire or are revoked.
Header format
http
GET /api/v1/competitions HTTP/1.1
Host: stats-api.ds2.app
Authorization: Bearer 14|PdsNjlFjl9MwSEuXhXs1xdgXRFwHQ4mQKgRjNsfH4b750a06
Accept: application/jsonRate limits
By default the rate limit is determined by your plan. Custom limits can be configured on request.
| Plan | Requests / min | WebSocket |
|---|---|---|
| Free | 60 | ✅ |
| Starter | 600 | ✅ |
| Pro | 3000 | ✅ |
| Enterprise | 10000 (or custom) | ✅ |
Every response includes these headers:
http
X-RateLimit-Limit: 3000
X-RateLimit-Remaining: 2847When you exceed the limit
The server returns 429 Too Many Requests:
http
HTTP/1.1 429 Too Many Requests
Retry-After: 42
Content-Type: application/json
{
"message": "Rate limit exceeded",
"limit_per_minute": 3000,
"retry_after_seconds": 42
}Pause for Retry-After seconds before retrying.
Errors
| Code | Meaning | Action |
|---|---|---|
401 | Missing or invalid token | Check the Authorization header |
402 | Account suspended / expired | Contact us |
403 | Competition not in your subscription | Upgrade your plan |
404 | Resource not found | Check the ID |
422 | Invalid parameter | See response body |
429 | Rate limit | Pause and retry |
Tokens and security
- Treat your token like a password — never commit it to git, JS bundles, or public code.
- Use it only server-side (never expose it to the frontend).
- For browser apps, create a proxy endpoint on your own server that injects the token.
- If you suspect a leak — tell us immediately; we revoke within minutes.
- You can have multiple tokens per account (e.g., staging and production separated).