Authentication

Every request must include your API key. Keys look like osc_live_…. Treat them like passwords — never commit them, never ship them to a browser bundle you don't trust.

Authorization header (recommended)

curl https://livesofthesaintscalendar.com/api/v1/saints \
  -H "Authorization: Bearer osc_live_…"

X-API-Key header

If you can't set Authorization, use a custom header:

curl https://livesofthesaintscalendar.com/api/v1/saints \
  -H "X-API-Key: osc_live_…"

Query parameter (last resort)

Browser-only? You may pass ?api_key=osc_live_… as a query parameter. This leaks keys to server logs and analytics — only do this for restricted demo keys.

Rotating keys

From the dashboard you can create up to 10 active keys per account, revoke any of them instantly, and give each a descriptive name. Revocation takes effect within seconds.

What happens on a bad key

You'll get HTTP 401 with one of these error codes:

{ "error": { "code": "missing_api_key", "message": "Missing API key…" } }
{ "error": { "code": "invalid_api_key", "message": "Unknown API key." } }
{ "error": { "code": "revoked_api_key", "message": "This API key has been revoked." } }