Overview
Authentication depends on the API surface:
Public API
Requires API key.Preferred header: x-evento-api-key
Embed API
No authentication required.CORS-enabled for browser access.
Never ship your Public API key in client-side JavaScript. Keep keyed requests server-side.
x-evento-api-key: YOUR_API_KEY
Authorization: Bearer YOUR_API_KEY
Examples
curl https://evento.so/api/public/v1/events/evt_abc123 \
-H "x-evento-api-key: YOUR_API_KEY"
Error responses
401 unauthorized
Returned when the API key is missing, invalid, or revoked:
{
"success": false,
"message": "Not authenticated."
}
- Missing
x-evento-api-key header
- Invalid API key format
- Revoked or expired API key
403 forbidden
Returned when the key is valid but missing required permissions:
{
"success": false,
"message": "Insufficient API key scope."
}
429 too many requests
Returned when you exceed the rate limit (1,000 requests/day):
{
"success": false,
"message": "Too many requests. Please try again later."
}
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1640995200
Best practices
Use environment variables
Store API keys in environment variables, never hardcode themEVENTO_API_KEY=evento_xxx
Server-side only
Use keyed requests from trusted backend environments only.
Implement retry logic
Use exponential backoff when retrying failed requests
Handle errors gracefully
Always check for 401 and 429 responses and handle them appropriately
CORS notes (Embed API)
Embed API includes permissive CORS headers:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Headers: Content-Type
Testing authentication
Use this simple request to verify your API key is working:
curl https://evento.so/api/public/v1/events/evt_test \
-H "x-evento-api-key: YOUR_API_KEY" \
-v
If the key is valid but the event does not exist, you will receive 404 instead of 401.
Next steps
