Overview
The GameBoost API uses Bearer Token authentication to secure all API endpoints. You’ll need to include your API key in theAuthorization header of every request.
All API requests must be made over HTTPS. Requests made over plain HTTP will fail.
Getting Your API Key
Your API key is available in the GameBoost Partner Dashboard. Follow these steps to retrieve it:1
Log in to Partner Dashboard
Navigate to gameboost.com/dashboard and sign in with your partner account.
Not a partner yet? Go to jobs.gameboost.com and apply as a seller.
2
Access API Settings
From the dashboard, navigate to Settings → Developers in the left sidebar.
3
Generate or View API Key
- If you haven’t created an API key yet, click New API Key
- Give your API key a descriptive name to help you identify it later.
- By default, all API keys have full access to your account.
Your API key will only be shown in full once during generation. Make sure to copy and store it securely.
4
Copy and Secure Your Key
Copy your API key and store it in a secure location such as:
- Environment variables in your application
- A secure secrets manager (1Password, AWS Secrets Manager, etc.)
- Encrypted configuration files
Your API key is ready to use! You can now make authenticated requests to the GameBoost API.
Making Authenticated Requests
Include your API key in theAuthorization header using the Bearer token scheme:
Store your API key in environment variables rather than hardcoding it in your source code. This improves security and makes it easier to manage keys across different environments.
Managing Your API Keys
Rotating API Keys
For security best practices, we recommend rotating your API keys periodically:1
Generate a new API key
In the Partner Dashboard, click New API Key to create a second API key.
2
Update your applications
Gradually update your applications and services to use the new API key.
3
Revoke the old key
Once all services are using the new key, revoke the old key from the dashboard.
You can have up to 2 active API keys at once to facilitate smooth key rotation without downtime.
Revoking API Keys
If your API key is compromised or no longer needed, revoke it immediately:1
Navigate to Developers Settings
Go to Settings → Developers in the Partner Dashboard.
2
Select the key to revoke
Find the API key you want to revoke in the list of active keys.
3
Click Delete
Click the Delete (trash icon) button next to the key and confirm the action.
Revoking an API key is immediate and cannot be undone. All requests using the revoked key will fail immediately.
4
Generate a replacement
If needed, generate a new API key to replace the revoked one.
The old key has been revoked and can no longer be used to access the API.
Security Best Practices
Store keys securely
Store keys securely
- Never commit API keys to version control
- Use environment variables or secure secrets management services
- Encrypt configuration files that contain API keys
- Restrict access to API keys on a need-to-know basis
Use HTTPS only
Use HTTPS only
- Always make API requests over HTTPS
- Never send API keys over unencrypted connections
- Validate SSL certificates in your API client
Rotate keys regularly
Rotate keys regularly
- Rotate API keys every 90 days as a best practice
- Immediately rotate keys if you suspect compromise
- Use the dual-key system to enable zero-downtime rotation
Protect against scams
Protect against scams
- Never share API keys between team members or applications
- Be wary of phishing attempts asking for your API key
- Never enter your API key on suspicious websites or third-party tools
- Report any suspicious activity or unauthorized access immediately