GETTING STARTED
Authentication
Every request must carry a valid API key in the X-API-Keyheader. That's the whole protocol — no OAuth, no tokens to refresh.
THE KEY MODEL
No password
design
The key is the login. Get yours from the dashboard and you're done.
3 keys per email
limit
Each email address can hold up to 3 active keys — one per project, say.
Regenerate anytime
recovery
Exposed a key? Regenerate it immediately in the dashboard. The old key stops working at once.
KEY HYGIENE
Env vars, not source
do
Never hardcode keys. Put
NBA2K_API_KEY=… in .env and add .env to .gitignore.Server-side only
don't
Call the API from your backend, not the browser. A key in client-side JavaScript is publicly readable.
WHEN IT FAILS
A missing or invalid key returns 401 Unauthorized with the envelope shown on the right. See the error handling guide for the full code list, or check the dashboard to verify your key is active.
KEYS ARE CHECKED ON EVERY REQUEST · NO SESSION STATE.
curl 'https://api.nba2kapi.com/api/players' \ -H 'X-API-Key: your_api_key_here'
401 UNAUTHORIZED
// Missing key → 401
{
"success": false,
"error": {
"message": "API key is required",
"code": "MISSING_API_KEY"
}
}
// Invalid key → 401
{
"success": false,
"error": {
"message": "Invalid API key",
"code": "INVALID_API_KEY"
}
}