Security | odds-api

Current posture

odds-api uses API-key authentication, server-side plan enforcement, per-client access controls, Stripe-managed billing, Cosmos-backed account/control records, and operational monitoring.

Enterprise roadmap

Formal DPA terms, custom retention windows, multiple active keys, dual-key rotation windows, scoped key labels, and deeper audit exports are roadmap or contract-driven items.

Security contact

Send sensitive reports to support@odds-api.net. Do not open public GitHub issues for vulnerabilities or exposed credentials.

API-key rotation

Customer API calls authenticate with the X-API-Key header. Active paid accounts can rotate the live key from the account page, which replaces the stored key for that API client.

Roadmap: dual-key overlap, multiple active keys, key labels, and per-key rotation windows for enterprise rollouts.

Key scoping

Server-side access is controlled by Cosmos/control-store ApiClients records. Current controls include active or disabled access, monthly limits, bookmaker allowlists, streaming/results/racing flags, strategy flags, and admin/internal flags for operator or service keys.

The public docs and examples use customer API keys only. Internal service keys are not part of the public developer package.

Infrastructure posture

The public microsite runs on Microsoft Azure infrastructure and stores account/control data in Azure Cosmos DB. The API runtime runs on DigitalOcean with Redis/Valkey for fast-moving operational data. Billing is handled by Stripe. Supabase bearer-token auth is used where applicable for app-auth flows. The public SDK, MCP, examples, and OpenAPI package are hosted on GitHub.

Logging and monitoring

The platform keeps website request logs, API quota and usage counters, Prometheus/Grafana heartbeats, and support diagnostics for operating the service. Incident artifacts can be captured during live debugging when required.

Customers should not place API keys in browser-visible code, public repositories, issue reports, screenshots, or support tickets.

Vulnerability disclosure

Email reports to support@odds-api.net with the affected URL, package, endpoint, reproduction steps, impact, and any relevant logs or screenshots with secrets removed.

We aim to acknowledge valid reports on a best-effort basis within 2 business days. Please avoid public disclosure until a remediation path has been agreed or the issue has been resolved.

Data retention

Stripe owns card data and payment method handling. odds-api keeps account, subscription, usage, and billing-link records while the account is active and as needed for billing, legal, security, and support obligations.

Redis/Valkey operational data is short-lived. Public bet event history defaults to 45 days. Service-history archives follow the configured lifecycle rules, including cooler storage after 14 to 30 days and archive storage after 60 days for odds tick history.

Major subprocessors

Named providers are listed at a product level for enterprise review. Exact infrastructure details can change as the platform evolves.

Provider	Purpose	Data class
Microsoft Azure and Azure Cosmos DB	Microsite hosting, account/control records, operational containers, and archive storage.	Account, API-client, usage, operational, and support-adjacent data.
DigitalOcean	API runtime infrastructure and Redis/Valkey-backed fast-moving data services.	API requests, operational odds data, streams, and runtime diagnostics.
Stripe	Subscription billing, invoices, payment method handling, and customer portal access.	Billing contact, subscription, invoice, payment, and tax-related data.
Supabase	Bearer-token authentication for app-auth flows where applicable.	Authentication identifiers and session claims.
GitHub	Public SDKs, MCP server, examples, OpenAPI exports, and issue-free security policy hosting.	Public repository metadata and contributor activity.

Enterprise security for odds-api