Authentication & Rate Limits
One key, one header, a shared rate limit. Here's the whole model.
The key model
Your API key is personal — it's tied to your Minecraft account, not to the server, and not to any particular bot or project. There is no concept of separate "app keys" or scoped credentials.
They currently all share your one key. There's no per-bot key issuance today, so if you
run a stats bot and an auction bot, both use the same X-API-Key value — and
both count against the same rate limit (see below).
Rate limits
Requests are rate-limited per key on a fixed time window. The default is commonly 60 requests per minute, but server admins can change this — treat 60 as a typical starting point, not a guarantee. If your bot's traffic is anywhere near the limit, ask the server's staff what the current number actually is rather than hardcoding it.
When you exceed it
You'll get an HTTP 429 with a Retry-After header (seconds to
wait) and a JSON error body, for example:
HTTP/1.1 429 Too Many Requests
Retry-After: 60
Content-Type: application/json
{"error": "Rate limit exceeded. Try again later."}
The right response is to back off and retry after the indicated delay — not to immediately retry or hammer the endpoint. A minimal backoff looks like this:
async function apiGet(path, apiKey) {
const res = await fetch(`${API_BASE}${path}`, {
headers: { "X-API-Key": apiKey }
});
if (res.status === 429) {
const waitSeconds = Number(res.headers.get("Retry-After")) || 60;
throw new RateLimitError(waitSeconds);
}
if (!res.ok) {
const body = await res.json().catch(() => ({}));
throw new Error(body.error || `Request failed with ${res.status}`);
}
return res.json();
}
class RateLimitError extends Error {
constructor(retryAfterSeconds) {
super(`Rate limited, retry after ${retryAfterSeconds}s`);
this.retryAfterSeconds = retryAfterSeconds;
}
}
See the Discord.js example for how to surface a 429 to a Discord user gracefully instead of letting the command silently fail.
Key revocation
Server staff can revoke an individual key at any time with /api revoke <player> —
typically because a bot using that key is misbehaving (hammering the API, scraping
excessively, etc.).
If a key that was working fine suddenly starts returning 401 Unauthorized
with no code changes on your end, revocation by staff is the most likely cause. Run
/api key in-game to check — if it prints a different key than the one you're
using, you'll need to update your bot's config. If you actually leaked the key yourself, use
/api regenerate instead.
A key can look up any player
This is intentional, not a bug: your API key isn't scoped to "your own" data. You can query
/api/player/{name-or-uuid} for
any player on the server, not just yourself. That's what makes leaderboard bots,
"check so-and-so's stats" commands, and auction-alert bots possible in the first place — there
would be no way to build those features if keys were locked to their own owner's data.