Authentication

All BitPredict API requests require authentication via an API key passed in an HTTP header.

How it works

API keys are generated in Settings → API Keys. Each key has a human-readable prefix of bp_live_ followed by a random token.

The full key is displayed exactly once at creation time. BitPredict stores only a SHA-256 hash of the key — the plaintext is never persisted. If you lose your key, revoke it and generate a new one.

Key format

bp_live_xxxxxxxxxxxxxxxxxxx

Storage

SHA-256(key) only

Usage

Include your API key in the X-API-Key request header on every API call.

Header

X-API-Key: bp_live_your_key_here

curl -X GET "https://api.bitpredict.ai/v1/account/me" \
  -H "X-API-Key: bp_live_your_key_here"

Error responses

Authentication failures always return HTTP 401.

Status	detail	Cause
401	MISSING_API_KEY	No X-API-Key header was sent
401	INVALID_API_KEY	Key not found or revoked
403	INSUFFICIENT_PLAN	Endpoint requires a higher plan

401 Invalid key

{
  "detail": "INVALID_API_KEY"
}

401 Missing key

{
  "detail": "MISSING_API_KEY"
}

Best practices

Store keys in environment variables

Never hard-code API keys in source code. Use a .env file locally and inject secrets via your deployment environment.

Never commit keys to version control

Add .env to your .gitignore. Even in private repos, leaked keys should be revoked immediately.

Use one key per environment

Create separate keys for development, staging, and production. This lets you rotate or revoke individual environments without disruption.

Rotate keys regularly

Generate a new key periodically or whenever you suspect compromise. Revoke old keys from Settings → API Keys.