BatteryArb uses API key authentication, rotates keys on resend, exposes health and docs publicly, and keeps raw secrets off public billing surfaces. For dashboards, use a server-side proxy pattern.
Protected endpoints require `X-API-Key`. Admin operations use a separate admin key and are not public-facing.
Keys are issued after checkout, can be revoked by support tooling, and resend flows rotate a fresh key instead of retrieving an old secret.
Do not embed raw keys into browser dashboards. Proxy requests through your backend or worker and return only the filtered data your UI needs.
Use the live health endpoint, Swagger UI, OpenAPI schema, and static docs mirror during evaluation and ops review.
Support posture scales with commercial commitment, from evaluation email support to production onboarding and enterprise review.
Quickstarts, example responses, and Postman reduce the time needed to answer buyer and engineering diligence questions.
BatteryArb publishes separate privacy and data-handling pages so procurement and security reviewers can understand what is collected, what is retained, and what is not sold or exposed.
Core endpoint behavior is documented in OpenAPI and paired with quickstart examples so technical buyers can review stability expectations before integration.
Terms, acceptable use, and data handling policies are available publicly so buyers do not need to request them one by one during early-stage evaluation.
The API is exposed on a dedicated host with public health and documentation endpoints so engineering, operations, and procurement reviewers can validate service availability and docs without needing a private walkthrough first.
Customers should store API keys in secret managers or server-side configuration, proxy browser-facing use cases through a backend or edge worker, and rotate credentials if access scope changes or a key is exposed.
Checkout, resend, and contact endpoints only accept approved browser origins and JSON payloads, which reduces abuse from cross-site form posting and scripted spam.
Trusted host enforcement reduces host-header abuse and keeps the service aligned to the API domain and local development hosts only.
Stripe webhook processing no longer falls back to unsigned event parsing in production-style environments. Signed delivery is required for live billing automation.
Use the pilot form to request a security-oriented review, support process overview, or enterprise procurement discussion.