0
Bug
Archived
Mar 30, 2026 · AA
Api key visible in image url
https://sports.bzzoiro.com/img/team/4482/?token=××××××××××××× so any one can view the api key and might abuse it, we need to work on protecting the api key so it won't display in raw file or code
Comments (3)
Artonis
Mar 30, 2026 19:04
You can encrypt the API key and provide it as a variable or string instead of hardcoding it in the image source. For instance, I'm using token=${API_KEY}
Oluboytech
Mar 30, 2026 19:22
Okay thanks
Bzzoiro
Admin
Apr 02, 2026 20:09
Hi! This has been fixed — image endpoints are now fully public and no longer require authentication. You can use them directly without any token:
No ?token= needed. Your API key should only be used in the Authorization: Token header for data endpoints (/api/events/, etc.), never in URLs.
Docs updated: https://sports.bzzoiro.com/docs/#images