Authentication
REST requests use HMAC request signing with a ShotTracker-issued username and secret. Live Data V2 WebSocket uses a subscription token only.
- REST endpoints
All REST requests must be signed using the ShotTracker-issued username and secret. A username/secret pair has specific privileges; keep both secured. Signing uses HMAC (HMAC-SHA1).
- Path without query string (common gotcha)
The request-line used for signing must use only the path — no query string. For example, for a request to GET /v1/data/teams/123/events?from=1000&to=2000 you must sign using the path /v1/data/teams/123/events only. Including ?from=1000&to=2000 in the signed request-line will cause authentication to fail. Strip or omit the query string when building the path for the signature.
- Required headers
Send with each request: date (UTC, clock must not skew more than 5 minutes), host (server host), and Authorization (the full HMAC value with signature). The string to sign is built from date, host, and the request-line (e.g. "GET /v1/data/... HTTP/1.1" with path only, no query string).
- WebSocket (Live Data V2)
Authentication to the WebSocket does not use HMAC. Connect using only the subscription token acquired from the Game Subscription Token endpoint.