Authentication

Raw markdown source view for LLM workflows.

---
title: Authentication
description: Header requirements, package validation, and request origin checks.
---

All protected endpoints require three headers.

## Required headers

```http
X-API-Token: YOUR_API_KEY
X-API-Token-Type: FREE
X-API-Token-Email: [email protected]
```

Header names are case-insensitive, but values are validated strictly.

## Token type rules

- Allowed values: `FREE`, `PRO`
- Any other value returns `401` with `API token Type is invalid`

## Whitelist enforcement

API key settings can enforce a whitelist:

- **IP whitelist**: compares request IP against the configured value.
- **Domain whitelist**: compares origin/referer/host against the configured domain.

Blocked requests return `403`.

## Quota behavior

For non-PRO keys, usage is checked over the last 24 hours:

- When the quota is exceeded, the API returns `429`.
- Response includes both `quota` and `used` values.

## Recommended client pattern

Always set credentials through a central request helper so retries, logging, and error handling stay consistent.

```ts
export function buildGameQueryHeaders() {
  return {
    'Content-Type': 'application/json',
    'X-API-Token': process.env.GQ_API_TOKEN,
    'X-API-Token-Type': process.env.GQ_API_TOKEN_TYPE,
    'X-API-Token-Email': process.env.GQ_API_TOKEN_EMAIL,
  };
}
```