Authentication

FutPicks uses the existing application authentication and subscription model. Do not build a parallel auth system around these APIs.

Access tiers

Data API access is for Admin or Pro users. Operations API access is for Admin/operator users only.

Authorization header

Use a bearer token when calling protected endpoints:

Authorization: Bearer <token>

Expected failures

Scenario	Result
Missing token	401 Unauthorized
Invalid/expired token	401 Unauthorized
Authenticated free user calls Data API	403 Forbidden
Pro user calls Operations API	403 Forbidden
Admin/operator calls Operations API	Allowed

Examples

Missing token

curl -i https://futpicks.com/api/v1/data/catalog

Expected: 401.

Pro data access

curl -i https://futpicks.com/api/v1/data/catalog \
  -H "Authorization: Bearer $FUTPICKS_TOKEN"

Expected for Pro/Admin: 200.

Admin ops access

curl -i https://futpicks.com/api/v1/ops/health/services \
  -H "Authorization: Bearer $FUTPICKS_ADMIN_TOKEN"

Expected for Admin/operator: 200.

Error format

Application-level errors (400, 403, 404, 409, 422) return RFC 9457-compatible problem details:

{
  "type": "https://futpicks.com/problems/forbidden",
  "title": "Forbidden",
  "status": 403,
  "detail": "This endpoint requires a Pro subscription or admin role."
}

Authentication failures (401) return an empty body with a WWW-Authenticate: Bearer header per the OAuth 2.0 spec.