Authentication
The Bassode API uses API key authentication with request headers. Every request must include both an API key and secret.
How Authentication Works
All API requests must include two headers:
X-Api-Key- Your public API key (starts withbsk_)X-Api-Secret- Your secret API key
Request Headers
GET /api/speakers HTTP/1.1
Host: api.bassode.com
X-Api-Key: bsk_live_2iqblig9bj8ah3154hnald6zqe6ioge6
X-Api-Secret: your_actual_secret_hereGetting Your API Keys
You can create and manage API keys from your account dashboard:
- Sign in to bassode.com
- Navigate to Account → API Keys
- Click "Create New API Key"
- Assign a name and select scopes
- Copy both the key and secret immediately
Security Warning: Your API Secret is shown only once during creation. Store it securely in your application's configuration or environment variables. Never commit secrets to version control.
API Key Format
API keys follow a specific format to help you identify them:
- Prefix:
bsk_(Bassode Service Key) - Environment:
live_for production,test_for testing - Identifier: Random alphanumeric string
bsk_live_2iqblig9bj8ah3154hnald6zqe6ioge6
│ │ │
│ │ └─ Unique identifier
│ └────── Environment (live/test)
└────────── Prefix (Bassode Service Key)Authentication Examples
cURL
curl https://api.bassode.com/api/speakers \
-H "X-Api-Key: bsk_live_xxxxxxxxxxxxxx" \
-H "X-Api-Secret: your_secret_here"C# (HttpClient)
var client = new HttpClient();
client.DefaultRequestHeaders.Add("X-Api-Key", apiKey);
client.DefaultRequestHeaders.Add("X-Api-Secret", apiSecret);
var response = await client.GetAsync("https://api.bassode.com/api/speakers");JavaScript (Fetch)
const response = await fetch('https://api.bassode.com/api/speakers', {
headers: {
'X-Api-Key': 'bsk_live_xxxxxxxxxxxxxx',
'X-Api-Secret': 'your_secret_here'
}
});Python (Requests)
import requests
headers = {
'X-Api-Key': 'bsk_live_xxxxxxxxxxxxxx',
'X-Api-Secret': 'your_secret_here'
}
response = requests.get('https://api.bassode.com/api/speakers', headers=headers)Error Responses
Missing Authentication Headers
If you forget to include the authentication headers, you'll receive:
HTTP/1.1 401 Unauthorized
{
"error": "Missing authentication headers",
"message": "Both X-Api-Key and X-Api-Secret headers are required"
}Invalid Credentials
If your API key or secret is incorrect:
HTTP/1.1 401 Unauthorized
{
"error": "Invalid credentials",
"message": "The provided API key or secret is invalid"
}Insufficient Permissions
If your API key doesn't have the required scope:
HTTP/1.1 403 Forbidden
{
"error": "Insufficient permissions",
"message": "Your API key does not have the required scope: speakers:read"
}Security Best Practices
- Use environment variables - Store keys in environment variables, never hardcode them
- Rotate keys regularly - Create new keys and deactivate old ones periodically
- Use minimal scopes - Only request the scopes your application needs
- Monitor API usage - Check your dashboard for unusual activity
- Separate keys per environment - Use different keys for development, staging, and production
- Delete unused keys - Remove keys that are no longer needed
- HTTPS only - All requests must use HTTPS to protect your credentials in transit
Managing API Keys
You can manage your API keys from the API Keys dashboard:
- View all keys - See all your active API keys and their scopes
- Create new keys - Generate additional keys for different applications
- Update scopes - Modify the permissions granted to a key
- Deactivate keys - Temporarily disable a key without deleting it
- Delete keys - Permanently remove a key (this cannot be undone)
- View usage - Monitor how often each key is being used
Rate Limiting
API keys are subject to rate limits based on your account tier. If you exceed the limit, you'll receive:
HTTP/1.1 429 Too Many Requests
{
"error": "Rate limit exceeded",
"message": "You have exceeded your rate limit. Try again in 60 seconds.",
"retryAfter": 60
}