Authentication
Saturday supports three authentication methods depending on your use case:
Most partner integrations start with API keys. Add OAuth2 when you need athletes (or coaches) to connect their existing Saturday accounts. Coaches automating against their own roster use a coach API key — see the Coach API.
API keys
All server-to-server requests use API keys passed in theAuthorization header as Bearer tokens.
Key types
Saturday uses prefixed API keys to prevent environment mistakes:
Coach keys (
cp_*) are minted in the coach portal under Settings → API Keys, not via api@saturday.fit. They authenticate the coach to the Coach API and are confined to that coach’s roster + own config.
Getting your keys
- Contact api@saturday.fit with your platform name and use case
- You’ll receive a sandbox key after vetting
- Complete integration testing to receive your production key
Using your key
Include the key in theAuthorization header on every request:
Key management
Creating additional keys:Save the key immediately. The full key value is only returned once at creation time. Store it securely — you won’t be able to retrieve it later.
Environments
Both environments use the same base URL — the API key prefix determines which environment you’re operating in.
Sandbox behavior
- All endpoints work identically to production
- Athlete data is isolated — sandbox athletes are not real people
- Rate limits are relaxed (higher limits for testing)
- Nutrition calculations return realistic but synthetic results
- No billing impact
Security best practices
- Store keys in environment variables, not in source code
- Use separate keys for different services or deployment stages
- Rotate keys regularly — at minimum every 90 days
- Monitor usage for unexpected patterns
- Revoke immediately if a key is exposed in logs, repos, or client code
- Never send keys over unencrypted channels — all API traffic uses HTTPS
Error responses
Authentication failures return a401 status: