Authentication
The Podium GraphQL API uses API key authentication for API calls. Human access to the developer portal uses either:
- A self-serve email/password account
- Podium SSO for internal staff
Once you are in the portal, every API request still carries a key in the x-api-key HTTP header.
Sending the API key
Section titled “Sending the API key”Pass your key in the x-api-key header on every request:
curl -X POST https://api.podium.pagroup.com/graphql \ -H "Content-Type: application/json" \ -H "x-api-key: std_your_key_here" \ -d '{"query":"{ __typename }"}'const response = await fetch('https://api.podium.pagroup.com/graphql', { method: 'POST', headers: { 'Content-Type': 'application/json', 'x-api-key': process.env.PODIUM_API_KEY, }, body: JSON.stringify({ query: '{ __typename }' }),});const { data } = await response.json();import httpx, os
client = httpx.Client( base_url="https://api.podium.pagroup.com", headers={"x-api-key": os.environ["PODIUM_API_KEY"]},)resp = client.post("/graphql", json={"query": "{ __typename }"})print(resp.json())Scope tiers
Section titled “Scope tiers”API keys are issued with one of three scope tiers. The tier controls which fields are visible in GraphQL responses.
| Tier | Key prefix | Fields available |
|---|---|---|
| Standard Card | std_ | Race card data: meetings, races, runners, SP, draw, weight, form |
| Editorial Card | edt_ | Standard + editorial fields: tips, verdicts, forecast/ESP prices, close-up comments |
| Internal API | int_ | Full schema including write mutations (Podium internal use only) |
Fields outside your tier’s scope are removed from the schema entirely — they will not appear in introspection and cannot be queried. The server pre-builds a filtered schema per tier at startup.
Rate limits
Section titled “Rate limits”Rate limits are enforced per key and reset on a rolling one-hour window.
| Tier | Requests / hour |
|---|---|
| Standard Card | 1 000 |
| Editorial Card | 5 000 |
| Internal API | 50 000 |
When a limit is exceeded the API returns HTTP 429 Too Many Requests with a Retry-After header indicating seconds until the window resets.
Key lifecycle
Section titled “Key lifecycle”Creating a key
Section titled “Creating a key”- Sign in to the developer portal.
- Create or join an organisation.
- Navigate to Organisations → API Keys → Generate key.
- Choose a scope tier and environment.
- Copy the key — it is shown once only. The server stores only a secure hash.
Revoking a key
Section titled “Revoking a key”Go to Organisations → API Keys, find the key, and select Revoke. Revocation takes effect within one second (NFR-003). Any in-flight requests using the revoked key will be rejected on their next validation.
Rotating a key
Section titled “Rotating a key”When you rotate a key, the system:
- Issues a new key immediately.
- Sets a 24-hour grace period on the old key so existing integrations have time to update.
- After 24 hours, the old key is permanently invalidated.
To rotate:
- Go to Organisations → API Keys.
- Select the key and click Rotate.
- Copy the new key and update your integrations.
- Confirm rotation — the grace period starts.
Request logging
Section titled “Request logging”Every authenticated request generates a structured log entry tied to your key ID. Logs include:
operation— the GraphQL operation name (use named operations for better observability)latency_ms— end-to-end response time in millisecondsstatus—successorerror
Your organisation’s audit log is available in the developer portal alongside your key management screens.