Skip to main content

Authentication

Saturday supports three authentication methods depending on your use case: Most partner integrations start with API keys. Add OAuth2 when you need athletes (or coaches) to connect their existing Saturday accounts. Coaches automating against their own roster use a coach API key — see the Coach API.

API keys

All server-to-server requests use API keys passed in the Authorization header as Bearer tokens.

Key types

Saturday uses prefixed API keys to prevent environment mistakes: Coach keys (cp_*) are minted in the coach portal under Settings → API Keys, not via api@saturday.fit. They authenticate the coach to the Coach API and are confined to that coach’s roster + own config.
Never expose live keys in client-side code. API keys should only be used in server-to-server requests. If you suspect a key has been compromised, rotate it immediately.

Getting your keys

  1. Contact api@saturday.fit with your platform name and use case
  2. You’ll receive a sandbox key after vetting
  3. Complete integration testing to receive your production key

Using your key

Include the key in the Authorization header on every request:

Key management

Creating additional keys:
Save the key immediately. The full key value is only returned once at creation time. Store it securely — you won’t be able to retrieve it later.
Rotating keys: Key rotation creates a new key and keeps the old one valid for 72 hours:
Revoking keys: Immediately invalidate a key (no grace period):

Environments

Both environments use the same base URL — the API key prefix determines which environment you’re operating in.

Sandbox behavior

  • All endpoints work identically to production
  • Athlete data is isolated — sandbox athletes are not real people
  • Rate limits are relaxed (higher limits for testing)
  • Nutrition calculations return realistic but synthetic results
  • No billing impact

Security best practices

  1. Store keys in environment variables, not in source code
  2. Use separate keys for different services or deployment stages
  3. Rotate keys regularly — at minimum every 90 days
  4. Monitor usage for unexpected patterns
  5. Revoke immediately if a key is exposed in logs, repos, or client code
  6. Never send keys over unencrypted channels — all API traffic uses HTTPS

Error responses

Authentication failures return a 401 status: