Developer API

Build bots, dashboards, and automations against your game servers with a clean REST API.

Quick Start

Two requests get you running — one public, one authenticated.

api.gamesentry.gg
# Public — no key needed
curlhttps://api.gamesentry.gg/v1/public/status
200 OK· 38ms
 
# Authenticated — pass your API key
curl-H"X-API-Key: gs_live_..." \
     https://api.gamesentry.gg/v1/servers
200 OK· 47ms

Authentication

Authenticated endpoints require an API key issued from your organization. Public endpoints work without one.

API Keys

Keys are scoped to one organization and one or more permission scopes. Keep them secret — never commit to git, never embed in client-side code. Each key starts with the prefix `gs_live_`.

  • gs_live_* — Production traffic. Real data, scoped to your organization.

Header Format

Either header is accepted on every authenticated endpoint:

X-API-Key: gs_live_<key>
# or
Authorization: Bearer gs_live_<key>

Scopes

When creating a key, choose only the scopes your integration actually needs. Least privilege.

servers:read

Read server metadata, status, and configuration.

players:read

Read player profiles, online sessions, and history.

bans:read

List active and historical bans.

automation:read

List automation rules and their execution log.

analytics:read

Read aggregated server statistics and trends.

webhooks:write

Create, update, and delete outbound webhook subscriptions, and rotate the signing secret.

Endpoints

All endpoints are versioned under /v1. JSON request and response bodies. UTC timestamps in ISO-8601.

Public endpoints

No authentication. Cached aggressively, suitable for public widgets and embeds.

GET/v1/public/servers/browseBrowse public servers, paginated PUBLIC
GET/v1/public/servers/{id}Get a public server profile PUBLIC
GET/v1/public/gamesList supported games PUBLIC
GET/v1/public/statusPlatform health status PUBLIC

Authenticated endpoints

Require an API key with the listed scope. Scoped to your organization only.

GET/v1/serversList managed servers in your org servers:read
GET/v1/servers/{id}Get a managed server by id servers:read
GET/v1/servers/{id}/onlineOnline players currently on a server players:read
GET/v1/servers/{id}/statsAggregated stats for a server analytics:read
GET/v1/players/{steamId}Get a player by Steam ID players:read
GET/v1/bansList bans across the org bans:read
GET/v1/servers/{serverId}/bansList bans for a single server bans:read
GET/v1/automationList automation rules automation:read
GET/v1/webhooksGet signing-secret metadata webhooks:write
POST/v1/webhooks/rotateRotate the webhook signing secret webhooks:write
POST/v1/webhooks/subscriptionsCreate a webhook subscription webhooks:write
GET/v1/webhooks/subscriptionsList webhook subscriptions webhooks:write
PUT/v1/webhooks/subscriptions/{id}Update a webhook subscription webhooks:write
DELETE/v1/webhooks/subscriptions/{id}Delete a webhook subscription webhooks:write

Rate Limits

Per-IP sliding window for public traffic, per-org token bucket for authenticated traffic. 429 responses include a Retry-After header.

300
requests / minute

Default limit on public endpoints. Per client IP.

60–1000
requests / minute

Authenticated limit varies by tier — Starter 300/min, Pro 1000/min, Business 5000/min. Per organization.

Retry-After

Always honor the Retry-After header. Back off and retry — never burst.

What's in each plan

API access starts at Starter. Higher tiers raise rate limits, webhook subscription caps, and unlock write scopes.

PlanPriceAPI AccessRate LimitWebhook SubsAvailable Scopes
Free€0 /mo0
Solo€4.99 /mo0
Starter€9.99 /mo300 / min5read
Pro€24.99 /mo1000 / min25read + write
Business€49.99 /mo5000 / minall

Limits are per organization. Add-on +10 webhook slots available on every paid tier.

Outbound Webhooks

Subscribe HTTPS URLs to org events. We sign every payload and retry on failures.

HMAC Signing

Every delivery includes an X-Signature header signed with your org's secret. Verify before trusting the payload.

X-Signature: t=1715600000,v1=<hex-hmac-sha256>

Retry & Idempotency

Failed deliveries retry with exponential backoff up to 24h. Each event has a unique id — your handler should be idempotent.

Event Types

Subscribe to one or many events per webhook subscription:

  • player.banned
  • player.kicked
  • player.joined
  • server.online
  • server.offline
  • automation.rule_fired

Errors

All errors return RFC 7807 Problem Details with a stable type URI and correlation id.

400

Bad Request — malformed query or body.

401

Unauthorized — missing or invalid API key.

403

Forbidden — key lacks the required scope or org doesn't own the resource.

404

Not Found — resource does not exist or is not visible to your org.

422

Unprocessable — validation failure (see `errors` array on the response).

429

Too Many Requests — rate limit exceeded. Wait the Retry-After period.

500

Internal Server Error — something broke on our side. The correlationId helps us debug.

Response Format

Every error follows this shape:

{
  "type": "https://gamesentry.gg/errors/server-not-found",
  "title": "Server not found",
  "status": 404,
  "detail": "No server matches id ...",
  "correlationId": "01JKN..."
}

Do / Don't

Do

  • Cache GET responses on your side — most responses include sensible Cache-Control headers.
  • Use one API key per integration so you can rotate without affecting other consumers.
  • Verify webhook signatures and treat your handler as idempotent.
  • Honor 429 + Retry-After, with exponential backoff for retried 5xx responses.

Don't

  • Embed API keys in browser-side JavaScript or mobile app bundles — they can be extracted.
  • Poll endpoints faster than your rate limit allows. Use webhooks for real-time events.
  • Hardcode resource IDs across environments. Use the test-key sandbox for development.
  • Ignore deprecation headers. We give 90 days notice before retiring any v1 endpoint.

Ready to integrate?

Browse the live OpenAPI spec, generate an API key, or see what's included in each tier.