Authentication
The Pro Clubs Studio API uses API keys to authenticate requests. Every request must include a valid key in the X-API-Key header.
API key types
Each partner account has access to two key types, identifiable by their prefix:
| Key type | Prefix | Purpose |
|---|---|---|
| Live | sk_live_* | Production use. Deducts real credits and produces production-quality images. |
| Test | sk_test_* | Development and testing. No credit deduction, watermarked output images. |
Including your key in requests
Pass your API key in the X-API-Key HTTP header on every request:
curl "https://api.proclubsstudio.com/v1/images" \
-H "X-API-Key: sk_live_your_key_here" \
-H "Content-Type: application/json"Live vs Test environment
The key prefix determines the environment. Both environments use the same base URL and endpoints — the behaviour changes automatically.
| Behaviour | Live | Test |
|---|---|---|
| Credit deduction | Real credits deducted | No credits deducted |
| Image output | Production-quality, CDN-hosted URLs | Watermarked or mocked images |
| Usage metrics | Tracked in live metrics | Segregated from live; separate counters |
| Webhooks | Delivered with "environment": "live" | Delivered with "environment": "test" |
Security best practices
Store keys securely
Your API key is shown only once when created. Store it in a secrets manager or environment variable — never hard-code it in source files. Pro Clubs Studio stores only the SHA-256 hash of your key along with the prefix and last 4 characters for display.
Server-side only
Never include your API key in client-side code, mobile apps, or browser requests. All API calls must originate from your backend servers.
Rotate regularly
If you suspect a key has been compromised, revoke it immediately from the Partner Console and generate a new one. Revoked keys return 401 on all subsequent requests.
Use test keys for development
Use sk_test_ keys during development and CI/CD. This prevents accidental credit consumption and keeps your live metrics clean.
Authentication errors
When authentication fails, the API returns one of the following error responses:
INVALID_API_KEY
Returned when the API key is missing, malformed, or has been revoked. Check that the X-API-Key header is present and the key is valid.
{
"success": false,
"data": null,
"error": {
"code": "INVALID_API_KEY",
"message": "The provided API key is invalid or has been revoked.",
"request_id": "req_abc123",
"docs_url": "https://platform.proclubsstudio.com/docs/errors/INVALID_API_KEY"
}
}PARTNER_SUSPENDED
Returned when the partner account associated with the key has been suspended. Contact support@proclubsstudio.com to resolve.
{
"success": false,
"data": null,
"error": {
"code": "PARTNER_SUSPENDED",
"message": "Your partner account has been suspended. Contact support.",
"request_id": "req_def456",
"docs_url": "https://platform.proclubsstudio.com/docs/errors/PARTNER_SUSPENDED"
}
}For the full list of errors, see the Error Reference.