Current posture
odds-api uses API-key authentication, server-side plan enforcement, per-client access controls, Stripe and PayPal billing, Cosmos-backed account/control records, and operational monitoring.
Enterprise security for odds-api
Security posture, API-key controls, subprocessors, vulnerability disclosure, and retention notes for teams evaluating odds-api for production and enterprise use.
Enterprise roadmap
Formal DPA terms, custom retention windows, scoped key permissions, and deeper audit exports are roadmap or contract-driven items.
Security contact
Send sensitive reports to support@odds-api.net. Do not open public GitHub issues for vulnerabilities or exposed credentials.
API-key rotation
Customer API calls authenticate with the X-API-Key header. Active accounts can keep up to five active keys, label them, rotate one key without affecting the others, and delete keys from the account page.
Key scoping
Server-side access is controlled by Cosmos/control-store ApiClients records. Current controls include active or disabled access, legacy monthly limits, v2 API-credit quotas, bookmaker allowlists, streaming/results/racing/history/bets flags, add-on entitlements, and admin/internal flags for operator or service keys.
The public docs and examples use customer API keys only. Internal service keys are not part of the public developer package.
Infrastructure posture
The public microsite runs on Microsoft Azure infrastructure and stores account/control data in Azure Cosmos DB. The API runtime runs on DigitalOcean with Redis/Valkey for fast-moving operational data. Billing is handled by Stripe and PayPal. Supabase bearer-token auth is used where applicable for app-auth flows. The public SDK, MCP, examples, and OpenAPI package are hosted on GitHub.
Logging and monitoring
The platform keeps website request logs, API quota and usage counters, Prometheus/Grafana heartbeats, and support diagnostics for operating the service. Incident artifacts can be captured during live debugging when required.
Customers should not place API keys in browser-visible code, public repositories, issue reports, screenshots, or support tickets.
Vulnerability disclosure
Email reports to support@odds-api.net with the affected URL, package, endpoint, reproduction steps, impact, and any relevant logs or screenshots with secrets removed.
We aim to acknowledge valid reports on a best-effort basis within 2 business days. Please avoid public disclosure until a remediation path has been agreed or the issue has been resolved.
Data retention
Stripe owns card data and payment method handling. PayPal owns PayPal wallet approval and payment handling. odds-api keeps account, subscription, usage, and billing-link records while the account is active and as needed for billing, legal, security, and support obligations.
Redis/Valkey operational data is short-lived. Public bet event history defaults to 45 days. Service-history archives follow the configured lifecycle rules, including cooler storage after 14 to 30 days and archive storage after 60 days for odds tick history.
Major subprocessors
Named providers are listed at a product level for enterprise review. Exact infrastructure details can change as the platform evolves.
| Provider | Purpose | Data class |
|---|---|---|
| Microsoft Azure and Azure Cosmos DB | Microsite hosting, account/control records, operational containers, and archive storage. | Account, API-client, usage, operational, and support-adjacent data. |
| DigitalOcean | API runtime infrastructure and Redis/Valkey-backed fast-moving data services. | API requests, operational odds data, streams, and runtime diagnostics. |
| Stripe | Subscription billing, invoices, payment method handling, and customer portal access. | Billing contact, subscription, invoice, payment, and tax-related data. |
| PayPal | Optional PayPal subscription checkout, approval, payment status, and lifecycle webhooks. | PayPal payer, subscription, payment status, and billing-link data. |
| Supabase | Bearer-token authentication for app-auth flows where applicable. | Authentication identifiers and session claims. |
| GitHub | Public SDKs, MCP server, examples, OpenAPI exports, and issue-free security policy hosting. | Public repository metadata and contributor activity. |