Auth & API Keys
Authenticate Rondo requests with the right header, scope, and allowed domains for league and facility owner integrations.
Authenticate requests with your Rondo API key so only the right leagues, facilities, and domains can use your integration.
Supported headers
Use this section to send the key in a supported header before you embed a widget or call a public API.
| Header | When to use it | Notes |
|---|---|---|
X-Rondo-Api-Key | Preferred API key header | Use one header format consistently |
X-API-Key | Alternate API key header | Supported for the same API key |
X-Rondo-Api-Key: your_api_keyX-API-Key: your_api_keyKey configuration
Use this section to limit access to only the resources and domains your app needs.
| Option | Type | Why it matters |
|---|---|---|
leagueIds | Array | Limits access to specific leagues |
facilityIds | Array | Limits access to specific facilities |
allowedOrigins | Array | Limits browser-based use to approved domains |
Recommended setup
Use this section to keep your key setup predictable in development and production.
- Create a separate API key for each environment you control.
- Limit the key to the
leagueIdsorfacilityIdsyour app actually needs. - Add every site domain that will load the widget to
allowedOrigins. - Rotate keys when ownership changes or as part of your regular security process.
Common checks
Use this section to rule out the most common authentication problems before deeper debugging.
- Confirm you are sending exactly one supported API key header.
- Confirm your domain is included in
allowedOrigins. - Confirm the key scope includes the target league or facility.
- Confirm you are calling the development base URL during testing.
Next step: Continue to League & Session Widget or Facility Booking Widget.
Updated 42 minutes ago