Skip to main content

Authentication

There is none — and that's intentional. Every endpoint under /api/public/v1 is public and read-mostly. You don't need an API key, bearer token, or session cookie.

  • Don't send an Authorization header or cookies — they're ignored.
  • Cross-origin (CORS) requests are allowed from any origin, with credentials disabled. Allowed methods are GET, POST, and OPTIONS.

What's exposed (and what isn't)

The public API only returns data an org has chosen to make public:

  • Events resolve only when their visibility allows it (draft/private events 404).
  • Players, tee sheets, leaderboards, brackets, standings, and blog posts are the public-facing views — no private contact details, payment data, or admin fields.
  • The "start" actions (registration and membership purchase) only return a hosted URL; the actual payment happens on a separate hosted page, not through this API.