BrightStar's API uses API keys for authentication. This guide covers key generation, security practices, and rate limiting.
API Key Types
Live API Key
Prefix: `bs_live_`
Permissions: Full read/write access
Use case: Production applications
Test API Key
Prefix: `bs_test_`
Permissions: Full read/write (sandbox data)
Use case: Development and testing
Read-Only Key
Prefix: `bs_read_`
Permissions: Read-only access
Use case: Analytics dashboards, reporting
Authentication Header
bash
Authorization: Bearer bs_live_your_api_key_here
# Example cURL request
curl -X GET "https://api.brightstarevents.com/v1/events" \
-H "Authorization: Bearer bs_live_abc123" \
-H "Content-Type: application/json"API request builder and tester
Interactive component coming soon
Rate Limits
Standard Limits
•100 requests per minute per API key
•1,000 requests per hour per API key
•Burst allowance: 20 requests/second
Response Headers
•`X-RateLimit-Limit`: Max requests allowed
•`X-RateLimit-Remaining`: Requests remaining
•`X-RateLimit-Reset`: Unix timestamp of reset
Rate Limit Exceeded (429)
Wait for `Retry-After` header value (seconds)
Security Best Practices
Secure your API integration:
- Never expose API keys in client-side code
- Store keys in environment variables
- Use test keys in development environments
- Rotate keys every 90 days
- Monitor API usage for anomalies
- Implement IP allowlists for server-side access
- Use webhook signatures to verify authenticity
If an API key is compromised, revoke it immediately in Settings → API Keys → Revoke. Generate a new key and update your applications. Compromised keys may result in account suspension.