Sports DocsAuthentication
All customer API calls use an API key. Your key is delivered by email after purchase and is also visible in the Scottfree Sports Account page.
Account page:
https://sports-app.scottfreellc.com/app/account
Production API keys use this prefix:
sk_alphapysports_
Recommended Method
Use the X-API-Key header:
curl -H "X-API-Key: $SFS_API_KEY" \
https://sports-api.scottfreellc.com/api/v1/sports
This is the best option for scripts, apps, and servers.
Bearer Token Method
Bearer auth is also supported:
curl -H "Authorization: Bearer $SFS_API_KEY" \
https://sports-api.scottfreellc.com/api/v1/predictions/mlb/won_on_points
If both Authorization and X-API-Key are present, X-API-Key wins. This allows Cloud Run identity tokens to coexist with a Scottfree Sports API key.
Query Parameter Method
The api_key query parameter works:
curl "https://sports-api.scottfreellc.com/api/v1/sports?api_key=$SFS_API_KEY"
Use this only for quick manual tests. Header auth is safer because query strings can appear in browser history, proxy logs, and analytics logs.
Plans And Permissions
| Product | What the key can access |
|---|---|
| Scottfree Sports Data | Account endpoints plus /api/v1/scottfree-sports-data/status and /refresh. Does not unlock predictions/results/summary unless the same customer also has Basic or Premium. |
| Scottfree Sports Basic | Predictions, odds, results, summary, account, and usage endpoints. |
| Scottfree Sports Premium | Everything in Basic plus supported CLI and MCP access. |
Account And Key Management
List your keys:
curl -H "X-API-Key: $SFS_API_KEY" \
https://sports-api.scottfreellc.com/api/v1/customers/me/api-keys
Create another key:
curl -X POST \
-H "X-API-Key: $SFS_API_KEY" \
-H "Content-Type: application/json" \
-d '{"name":"Backtest Script"}' \
https://sports-api.scottfreellc.com/api/v1/customers/me/api-keys
Rename a key:
curl -X PATCH \
-H "X-API-Key: $SFS_API_KEY" \
-H "Content-Type: application/json" \
-d '{"api_key_to_rename":"sk_alphapysports_abcd*****","new_name":"Production App"}' \
https://sports-api.scottfreellc.com/api/v1/customers/me/api-keys/rename
Revoke a key:
curl -X DELETE \
-H "X-API-Key: $SFS_API_KEY" \
https://sports-api.scottfreellc.com/api/v1/customers/me/api-keys/sk_alphapysports_abcd*****
The API will not let you revoke the key you are currently using for the request.
Security Practices
- Store keys in environment variables or a secrets manager.
- Do not commit keys to Git.
- Do not paste keys into public chat, tickets, or logs.
- Use separate keys for separate apps or scripts.
- Revoke old keys after replacing them.
- For browser apps, proxy requests through your own backend instead of exposing the API key directly in client-side JavaScript.
Common Errors
401 API key required
The request did not include an API key in X-API-Key, Authorization: Bearer, or api_key.
401 Invalid or expired API key
The key is wrong, revoked, expired, or not found.
403
The key is valid, but the plan does not allow that operation. Example: a Sports Data-only key trying to call predictions.
429
The key exceeded either the per-second limit or the monthly quota.
Minimal Python Example
import os
import requests
api_key = os.environ["SFS_API_KEY"]
base_url = "https://sports-api.scottfreellc.com"
response = requests.get(
f"{base_url}/api/v1/predictions/mlb/won_on_points",
headers={"X-API-Key": api_key},
timeout=30,
)
response.raise_for_status()
print(response.json())
Minimal JavaScript Example
const apiKey = process.env.SFS_API_KEY;
const response = await fetch(
"https://sports-api.scottfreellc.com/api/v1/predictions/mlb/won_on_points",
{ headers: { "X-API-Key": apiKey } }
);
if (!response.ok) {
throw new Error(`${response.status}: ${await response.text()}`);
}
console.log(await response.json());