Back to Home
GLOOOP
API Docs

Authentication

Learn how Glooop API authentication works, how to create and manage API keys, and best practices for keeping your keys secure.

API Key Format

All Glooop API keys follow a consistent format:

glp_sk_1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef

Prefix

glp_sk_

Identifies this as a Glooop secret key

Secret

64 hex characters

Cryptographically secure random string

How to Authenticate

Include your API key in the X-API-Key header of every request:

cURL Example

curl -X GET "https://api.glooop.fun/api/v1/public/v1/deals" \
  -H "X-API-Key: glp_sk_YOUR_API_KEY_HERE"

JavaScript Example

const response = await fetch('https://api.glooop.fun/api/v1/public/v1/deals', {
  headers: {
    'X-API-Key': 'glp_sk_YOUR_API_KEY_HERE'
  }
});

Python Example

import requests

headers = {'X-API-Key': 'glp_sk_YOUR_API_KEY_HERE'}
response = requests.get(
    'https://api.glooop.fun/api/v1/public/v1/deals',
    headers=headers
)

Security Features

SHA-256 Hashing

API keys are hashed using SHA-256 before being stored in the database. The plaintext key is never stored, making it impossible to recover if lost.

One-Time Display

When you create an API key, the full key is shown only once. After that, only the prefix is visible (e.g., glp_sk_1234...).

Scope-Based Permissions

Every API key has specific scopes that define what it can access:deals:read,marketplace:read,stats:read

Status Management

API keys can be in different states: ACTIVE, REVOKED, EXPIRED, or RATE_LIMITED. Only ACTIVE keys can make requests.

Security Best Practices

Never Do This

  • Commit API keys to version control (Git, SVN, etc.)
  • Share API keys in public forums, chat, or email
  • Embed API keys directly in client-side JavaScript
  • Use the same API key for multiple applications
  • Store API keys in plaintext files or databases

Always Do This

  • Store API keys in environment variables or secret managers
  • Create separate API keys for different applications/environments
  • Revoke API keys immediately if compromised
  • Use descriptive names for API keys (e.g., "Production Mobile App")
  • Monitor API key usage regularly in your dashboard
  • Rotate API keys periodically (every 90 days recommended)

Storing Keys Securely

Node.js / Next.js (.env file)

# .env.local
GLOOOP_API_KEY=glp_sk_YOUR_API_KEY_HERE

# .gitignore
.env.local

Python (.env file)

# .env
GLOOOP_API_KEY=glp_sk_YOUR_API_KEY_HERE

# Load in your code
import os
from dotenv import load_dotenv

load_dotenv()
api_key = os.getenv('GLOOOP_API_KEY')

Production (Docker Secrets / Kubernetes)

# Kubernetes Secret
apiVersion: v1
kind: Secret
metadata:
  name: glooop-api-key
type: Opaque
data:
  api-key: Z2xwX3NrX1lPVVJfQVBJX0tFWQ==  # base64 encoded

Managing API Keys

View All Keys

Visit http://localhost:3000/api-keys to see all your API keys with their status, tier, and usage statistics.

Revoke a Key

If an API key is compromised, revoke it immediately from your dashboard. Revoked keys cannot be reactivated - you must create a new key.

Monitor Usage

Click "View Analytics" on any key to see:

  • Total requests in the last 7 days
  • Requests by endpoint
  • Requests by status code (200, 400, 429, etc.)
  • Average response time

Getting Started

Create your first API key and make your first request.

API Reference

Explore all available endpoints and their parameters.