Developer API
Build bots, dashboards, and automations against your game servers with a clean REST API.
Quick Start
Two requests get you running — one public, one authenticated.
Authentication
Authenticated endpoints require an API key issued from your organization. Public endpoints work without one.
API Keys
Keys are scoped to one organization and one or more permission scopes. Keep them secret — never commit to git, never embed in client-side code. Each key starts with the prefix `gs_live_`.
gs_live_*— Production traffic. Real data, scoped to your organization.
Header Format
Either header is accepted on every authenticated endpoint:
X-API-Key: gs_live_<key>
# or
Authorization: Bearer gs_live_<key>Scopes
When creating a key, choose only the scopes your integration actually needs. Least privilege.
servers:readRead server metadata, status, and configuration.
players:readRead player profiles, online sessions, and history.
bans:readList active and historical bans.
automation:readList automation rules and their execution log.
analytics:readRead aggregated server statistics and trends.
webhooks:writeCreate, update, and delete outbound webhook subscriptions, and rotate the signing secret.
Endpoints
All endpoints are versioned under /v1. JSON request and response bodies. UTC timestamps in ISO-8601.
Public endpoints
No authentication. Cached aggressively, suitable for public widgets and embeds.
/v1/public/servers/browseBrowse public servers, paginated PUBLIC /v1/public/servers/{id}Get a public server profile PUBLIC /v1/public/gamesList supported games PUBLIC /v1/public/statusPlatform health status PUBLIC Authenticated endpoints
Require an API key with the listed scope. Scoped to your organization only.
/v1/serversList managed servers in your org servers:read /v1/servers/{id}Get a managed server by id servers:read /v1/servers/{id}/onlineOnline players currently on a server players:read /v1/servers/{id}/statsAggregated stats for a server analytics:read /v1/players/{steamId}Get a player by Steam ID players:read /v1/bansList bans across the org bans:read /v1/servers/{serverId}/bansList bans for a single server bans:read /v1/automationList automation rules automation:read /v1/webhooksGet signing-secret metadata webhooks:write /v1/webhooks/rotateRotate the webhook signing secret webhooks:write /v1/webhooks/subscriptionsCreate a webhook subscription webhooks:write /v1/webhooks/subscriptionsList webhook subscriptions webhooks:write /v1/webhooks/subscriptions/{id}Update a webhook subscription webhooks:write /v1/webhooks/subscriptions/{id}Delete a webhook subscription webhooks:write Rate Limits
Per-IP sliding window for public traffic, per-org token bucket for authenticated traffic. 429 responses include a Retry-After header.
Default limit on public endpoints. Per client IP.
Authenticated limit varies by tier — Starter 300/min, Pro 1000/min, Business 5000/min. Per organization.
Always honor the Retry-After header. Back off and retry — never burst.
What's in each plan
API access starts at Starter. Higher tiers raise rate limits, webhook subscription caps, and unlock write scopes.
| Plan | Price | API Access | Rate Limit | Webhook Subs | Available Scopes |
|---|---|---|---|---|---|
| Free | €0 /mo | — | 0 | — | |
| Solo | €4.99 /mo | — | 0 | — | |
| Starter | €9.99 /mo | 300 / min | 5 | read | |
| Pro | €24.99 /mo | 1000 / min | 25 | read + write | |
| Business | €49.99 /mo | 5000 / min | ∞ | all |
Limits are per organization. Add-on +10 webhook slots available on every paid tier.
Outbound Webhooks
Subscribe HTTPS URLs to org events. We sign every payload and retry on failures.
HMAC Signing
Every delivery includes an X-Signature header signed with your org's secret. Verify before trusting the payload.
X-Signature: t=1715600000,v1=<hex-hmac-sha256>Retry & Idempotency
Failed deliveries retry with exponential backoff up to 24h. Each event has a unique id — your handler should be idempotent.
Event Types
Subscribe to one or many events per webhook subscription:
player.bannedplayer.kickedplayer.joinedserver.onlineserver.offlineautomation.rule_fired
Errors
All errors return RFC 7807 Problem Details with a stable type URI and correlation id.
400Bad Request — malformed query or body.
401Unauthorized — missing or invalid API key.
403Forbidden — key lacks the required scope or org doesn't own the resource.
404Not Found — resource does not exist or is not visible to your org.
422Unprocessable — validation failure (see `errors` array on the response).
429Too Many Requests — rate limit exceeded. Wait the Retry-After period.
500Internal Server Error — something broke on our side. The correlationId helps us debug.
Response Format
Every error follows this shape:
{
"type": "https://gamesentry.gg/errors/server-not-found",
"title": "Server not found",
"status": 404,
"detail": "No server matches id ...",
"correlationId": "01JKN..."
}Do / Don't
Do
- Cache GET responses on your side — most responses include sensible Cache-Control headers.
- Use one API key per integration so you can rotate without affecting other consumers.
- Verify webhook signatures and treat your handler as idempotent.
- Honor 429 + Retry-After, with exponential backoff for retried 5xx responses.
Don't
- Embed API keys in browser-side JavaScript or mobile app bundles — they can be extracted.
- Poll endpoints faster than your rate limit allows. Use webhooks for real-time events.
- Hardcode resource IDs across environments. Use the test-key sandbox for development.
- Ignore deprecation headers. We give 90 days notice before retiring any v1 endpoint.
Ready to integrate?
Browse the live OpenAPI spec, generate an API key, or see what's included in each tier.