Skip to main content
The Spine API uses API keys sent as the X-API-KEY request header. The SDK adds the header for you on every request — you just need to give it a key.

Passing the key

Never commit keys to source control. Use your deployment platform’s secret manager (AWS Secrets Manager, 1Password, Doppler, etc.) and inject them at runtime. Never ship keys to the browser — proxy requests through your own backend instead.
If apiKey is falsy, the Spine constructor throws immediately — before any network call.

Key rotation

Keys revoked in the dashboard stop working on the next request; you’ll see SpineAuthError thrown from the SDK. Roll new keys through your secret store before revoking the old one so running processes don’t break mid-run. The server caches keys for up to 5 minutes, so leave that grace window.

Overriding the base URL

Point the SDK at a staging or enterprise deployment via baseURL:
The SDK appends /v1 paths automatically, so pass the host without the API prefix.

Tuning timeouts and retries

See Errors and retries for the retry policy.

Injecting your own fetch

For advanced cases (custom proxies, test doubles, alternative runtimes), pass a pre-configured fetch implementation. The SDK still applies X-API-KEY and User-Agent headers — your implementation does not need to set them.

Observing requests

Use onRequest and onResponse for tracing every call: