Authentication
Every request to the Beta Gamer API must be authenticated with a Bearer API key. Keys are scoped per tenant and per environment.
Bearer token
Pass your API key in the Authorization header on every request:
Authorization: Bearer bg_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxKey types
| Key prefix | Environment | Webhooks | Allowed modes | Notes |
|---|---|---|---|---|
bg_live_ | Production | ✓ Fired | live, training | Keep secret — server only |
bg_test_ | Testing | ✗ Never | test only | Safe for CI/CD pipelines |
🚨 Never expose your API key in client-side code (browser JS, React components, mobile apps). Always make the API call from your backend server and pass only the short-lived
sessionToken to the frontend.Origin allowlist
For additional security, requests are validated against an origin allowlist registered to your API key. Any request from an origin not in your allowlist receives a 403 Forbidden.
Configure your allowed origins in the dashboard. You can use * to allow all origins (not recommended for production).
// Example: allowed origins for a tenant
"allowedOrigins": [
"https://yourapp.com",
"https://staging.yourapp.com"
]Error responses
401Missing or invalid API key — check your Authorization header.
403Origin not in allowlist, or test key used to create a live session.
Rotating keys
If you suspect a key has been compromised, contact support@beta-gamer.com to rotate it immediately. New keys are issued instantly; old keys are invalidated within 60 seconds.
Beta Gamer GaaS API — questions? support@beta-gamer.com