Every request requires a partner-scoped API key, sent in the X-API-Key header.
X-API-Key: rip_v1_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Keys are issued by rip.fun per partner, with an explicit set of scopes. A request whose key
lacks the required scope is rejected with 403 Insufficient permissions.
| Scope | Grants |
|---|---|
read:catalog | catalog, odds, feeds, card pricing |
wallet:read | balance, ledger, deposits |
wallet:deposit | get/create a deposit address |
packs:purchase | custodial + non-custodial purchase |
packs:read | purchase status / history, stats, buyback + redemption status |
packs:buyback | create buyback offers |
cards:redeem | redemption quote / prepare / submit |
pool:manage | get/set the buyback pool wallet — exclusive: only keys explicitly granted this scope can use it |
webhooks:manage | register / list / delete webhooks, delivery log |
By default every "Try it" runner in these docs uses this demo's built-in staging demo key. If you already have your own partner key, paste it into the API key field at the top of the sidebar and every runner (and the generated curl snippets) will use it instead — handy for verifying that your key works and
carries the scopes you expect. A 401/403 from a runner then means the
key itself (or a missing scope from the table above) is the problem.
X-API-Key header to the whitelisted Mystery Pack API paths — never to any third
party, and it is never logged or stored server-side.120 requests / minute per API key, shared across the whole /api/v1 surface. In addition, some endpoint families have per-key concurrency
caps: purchase / buyback / redemption writes are limited to 5 concurrent requests, and wallet reads to 10 concurrent. Requests beyond a limit are
rejected — back off and retry.