The Spine API uses API keys sent as the X-API-KEY request header. The
SDK adds the header for you on every request — you just need to give it
a key.
Passing the key
Never commit keys to source control. Use your deployment platform’s
secret manager (AWS Secrets Manager, 1Password, Doppler, etc.) and
inject them at runtime. Never ship keys to the browser — proxy requests
through your own backend instead.
If apiKey is falsy, the Spine constructor throws immediately — before
any network call.
Key rotation
Keys revoked in the dashboard stop working on the next request; you’ll
see SpineAuthError thrown from the SDK. Roll new keys through your
secret store before revoking the old one so running processes don’t
break mid-run. The server caches keys for up to 5 minutes, so leave that
grace window.
Overriding the base URL
Point the SDK at a staging or enterprise deployment via baseURL:
The SDK appends /v1 paths automatically, so pass the host without the
API prefix.
Tuning timeouts and retries
See Errors and retries for the retry policy.
Injecting your own fetch
For advanced cases (custom proxies, test doubles, alternative runtimes),
pass a pre-configured fetch implementation. The SDK still applies
X-API-KEY and User-Agent headers — your implementation does not need
to set them.
Observing requests
Use onRequest and onResponse for tracing every call: