Skip to main content

API Key Authentication

All API endpoints require authentication using a Bearer token. You must include your API key in the Authorization header of every request.

Getting Your API Key

1

Add on Discord

Add southctrl on Discord
2

Request Access

Send a message requesting API access
3

Receive Your Key

You’ll receive your unique API key via Discord DM
4

Store Securely

Save your API key in a secure location (environment variables recommended)
API keys are issued manually to ensure quality and prevent abuse. You should receive your key within 24 hours.

Authentication Header

Include your API key in every request using the Authorization header: 
Authorization: Bearer YOUR_API_KEY

Example Requests

curl -X GET "https://rocks.rive.wtf/api/bible/random?translation=web" \
  -H "Authorization: Bearer YOUR_API_KEY"

Using Environment Variables

Never hardcode your API key in your code! Always use environment variables to keep your key secure.
// .env file
ROCKS_API_KEY=your_api_key_here

// In your code
require('dotenv').config();
const API_KEY = process.env.ROCKS_API_KEY;

const response = await fetch('https://rocks.rive.wtf/api/endpoint', {
  headers: {
    'Authorization': `Bearer ${API_KEY}`
  }
});

Security Best Practices

Environment Variables

Always store API keys in environment variables, never in source code

Gitignore Files

Add .env and config files containing keys to .gitignore

Server-Side Only

Never expose API keys in client-side JavaScript or public repositories

Rotate Regularly

Contact southctrl on Discord if you need to rotate your API key
Important Security Notes:
  • Never commit API keys to version control (Git, GitHub, etc.)
  • Don’t share your API key in Discord servers, forums, or public channels
  • If you accidentally expose your key, contact southctrl immediately for a new one
  • Use different keys for development and production environments when possible

Rate Limiting

The API implements rate limiting to ensure fair usage across all users:
  • Standard: 100 requests per minute
  • Burst: 10 requests per second
If you need higher limits, contact southctrl on Discord with your use case.
Each response includes rate limit information in the headers:
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1640995200
Implement exponential backoff when you receive a 429 status:
async function makeRequestWithRetry(url, retries = 3) {
  for (let i = 0; i < retries; i++) {
    const response = await fetch(url, {
      headers: { 'Authorization': `Bearer ${API_KEY}` }
    });
    
    if (response.status !== 429) {
      return response.json();
    }
    
    // Wait before retrying (exponential backoff)
    await new Promise(resolve => setTimeout(resolve, 1000 * Math.pow(2, i)));
  }
  throw new Error('Rate limit exceeded');
}

Error Responses

If authentication fails, you’ll receive one of the following error responses:
Status CodeDescriptionSolution
401Missing or invalid API keyCheck that your API key is correct and properly formatted
403API key doesn’t have permissionContact southctrl if you need access to this endpoint
429Rate limit exceededWait before making more requests or implement rate limiting
500Server errorTry again later or contact support if issue persists

Example Error Response

{
  "success": false,
  "error": {
    "code": 401,
    "message": "Invalid or missing API key",
    "details": "Please provide a valid API key in the Authorization header"
  }
}

Testing Your Authentication

Use this simple test to verify your API key is working: 
curl -X GET "https://rocks.rive.wtf/api/bible/random?translation=web" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -w "\nStatus: %{http_code}\n"

Need Help?

Contact Support

Discord: southctrlFor issues with authentication, API key requests, or if you believe your key has been compromised, contact southctrl directly on Discord.
Keep your API key secure and treat it like a password. Anyone with your API key can make requests on your behalf.