Authentication - PatchPulse API
Instantly decode game balance changes
Manage Credentials View QuickstartAPI Keys
Secure your integrations with rotating, environment-scoped keys.
Every PatchPulse developer account receives two default keys: one for staging (`pk_test_...`) and one for production (`pk_live_...`). Keys are scoped to specific game endpoints such as `valorant/patches`, `league-of-legends/abilities`, and `overwatch-2/talents`. Rotate keys quarterly via the Dashboard > Security panel. If a key is compromised, revoke it instantly; active requests using the revoked key will receive a `401 Unauthorized` response within 60 seconds. All key generation and revocation events are logged with ISO 8601 timestamps and IP fingerprints for audit compliance.
Key Rotation
Automate rotation with our webhook triggers. Set a 90-day TTL and receive a `key.expiring` event 7 days before deactivation. Legacy keys remain valid for a 48-hour grace period to prevent pipeline downtime.
Environment Scoping
Isolate test data from live traffic. Staging keys automatically route to snapshot v4.2.1, while live keys pull the current production schema. Cross-environment requests are rejected at the gateway layer.
OAuth 2.0 Flows
Access player-specific patch preferences and saved changelogs securely.
PatchPulse supports Authorization Code with PKCE for server-side apps and Implicit Flow for client-side dashboards. Request the `read:patches` and `write:preferences` scopes to sync user watchlists across Riot, Blizzard, and Valve titles. Tokens expire after 2 hours; refresh tokens persist for 30 days unless revoked. All OAuth endpoints are hosted at `auth.patchpulse.dev/oauth2`. Include your client ID in the `Authorization: Bearer
PKCE Implementation
Generate a `code_challenge` using SHA-256. Exchange the authorization code at `/oauth2/token` with your `code_verifier` to obtain access and refresh tokens. Client secrets are never exposed to browser environments.
Scope Permissions
`read:patches` grants changelog access. `write:preferences` allows saving filter presets. `admin:webhooks` is required for custom alert routing. Over-scoping triggers a `403 Forbidden` error during token exchange.
Rate Limits
Predictable throughput guarantees for high-frequency patch monitoring.
PatchPulse enforces tiered rate limits based on your subscription plan. Free tiers receive 100 requests per minute (RPM) with a 10,000 daily cap. Pro tiers unlock 1,000 RPM and 150,000 daily requests. Enterprise accounts negotiate custom limits up to 10,000 RPM. When limits are approached, response headers include `X-RateLimit-Remaining`, `X-RateLimit-Reset`, and `X-RateLimit-Limit`. Exceeding the threshold returns a `429 Too Many Requests` payload with a `Retry-After` timestamp. Burst allowances of 150% are permitted for 30-second windows during major patch drops like Valorant Episode 8 Act 3 or League of Legends Patch 14.5.
Header Monitoring
Log `X-RateLimit-Remaining` to trigger internal circuit breakers. Implement exponential backoff starting at 500ms intervals. Failed requests do not count against your daily quota.
Burst Allowances
Temporary limit increases activate automatically during official patch windows. Monitor `/v1/system/status` for active burst events. Enterprise clients receive dedicated throughput lanes that bypass shared pool throttling.