The Spine API uses API keys sent as the X-API-KEY request header. The
SDK adds the header for you on every request — you just need to give it
a key.
Passing the key
Never commit keys to source control. Use your deployment platform’s
secret manager (AWS Secrets Manager, 1Password, Doppler, etc.) and
inject them at runtime.
If no key is provided and SPINE_API_KEY is unset, SpineClient()
raises ValueError immediately — before any network call.
Key rotation
Keys revoked in the dashboard stop working on the next request; you’ll
see AuthenticationError raised from the SDK. Roll new keys through
your secret store before revoking the old one so running processes
don’t break mid-run.
Overriding the base URL
Point the SDK at a staging or enterprise deployment via base_url (or
the SPINE_BASE_URL env var):
The SDK appends /v1 automatically, so pass the host without the API
prefix.
Injecting your own HTTP client
For advanced cases (custom proxies, SSL contexts, test doubles), pass a
pre-configured httpx.Client or httpx.AsyncClient. The SDK still
applies the X-API-KEY and User-Agent headers — your client does not
need to set them.
When you inject a client, the SDK does not close it on __exit__ —
that’s your responsibility.