Skip to main content
The Spine API uses API keys sent as the X-API-KEY request header. The SDK adds the header for you on every request — you just need to give it a key.

Passing the key

Never commit keys to source control. Use your deployment platform’s secret manager (AWS Secrets Manager, 1Password, Doppler, etc.) and inject them at runtime.
If no key is provided and SPINE_API_KEY is unset, SpineClient() raises ValueError immediately — before any network call.

Key rotation

Keys revoked in the dashboard stop working on the next request; you’ll see AuthenticationError raised from the SDK. Roll new keys through your secret store before revoking the old one so running processes don’t break mid-run.

Overriding the base URL

Point the SDK at a staging or enterprise deployment via base_url (or the SPINE_BASE_URL env var):
The SDK appends /v1 automatically, so pass the host without the API prefix.

Injecting your own HTTP client

For advanced cases (custom proxies, SSL contexts, test doubles), pass a pre-configured httpx.Client or httpx.AsyncClient. The SDK still applies the X-API-KEY and User-Agent headers — your client does not need to set them.
When you inject a client, the SDK does not close it on __exit__ — that’s your responsibility.