Authentication

API keys

All endpoints (except /v1/health and webhooks) require a Bearer token.

curl -H "Authorization: Bearer rw_live_..." \
  https://api.rewind.rest/v1/listening/recent

Key types

Key type	Prefix	Access
Read	`rw_live_...`	All GET endpoints
Admin	`rw_admin_...`	All endpoints including sync triggers, data management, and key management

Read keys are safe to use in client-side applications. Admin keys should only be used server-side.

Rate limiting

Each API key gets 100 requests per 60-second sliding window. Every response carries the current state in headers, and exceeding the limit returns 429 Too Many Requests.

Header	Meaning
`X-RateLimit-Limit`	Requests allowed per window
`X-RateLimit-Remaining`	Requests left in the current window
`X-RateLimit-Reset`	Unix timestamp (seconds) when the window resets
`Retry-After`	Seconds to wait before retrying, sent only on 429

Unauthorized responses

If your key is missing or invalid:

{
  "error": "Unauthorized",
  "status": 401
}

​API keys

​Key types

​Rate limiting

​Unauthorized responses

API keys

Key types

Rate limiting

Unauthorized responses