Growing Discord community — direct access to the developer, live coverage & picks. Join now →
0
Bug Archived Mar 30, 2026 · AA

Api key visible in image url

https://sports.bzzoiro.com/img/team/4482/?token=××××××××××××× so any one can view the api key and might abuse it, we need to work on protecting the api key so it won't display in raw file or code

Comments (1)
Bzzoiro Admin Apr 02, 2026 20:01
Good catch, thanks for reporting this! You're right — exposing the API token in image URLs is a security concern. We've just deployed a fix: image endpoints are now public and no longer require authentication. You can use them directly without any token: This means you can safely use them in <img> tags without exposing your API key: Your API token should only be used for data endpoints (/api/events/, /api/leagues/, etc.) via the Authorization: Token header — never in URLs. The docs have been updated accordingly: https://sports.bzzoiro.com/docs/#images