Skip to main content

Overview

The SkyTeam ROBLOX API uses API key authentication via the x-api-key header. Each airline has a unique API token that must be included in all requests (except /health).

Authentication Flow

Authentication is handled by the airlineAuth middleware defined in middleware/auth.ts:9. The middleware:
  1. Extracts the x-api-key header from the request
  2. Validates the token against the database
  3. Attaches the airline data to res.locals for use in route handlers

Authentication Middleware

Location: apps/api/src/middleware/auth.ts:9 
export async function airlineAuth(
  req: Request,
  res: Response,
  next: NextFunction,
) {
  const token = req.header("x-api-key");
  if (!token) {
    return res.status(401).json({ error: "Missing x-api-key header" });
  }

  const airline = await fetchAirlineByToken(token);
  if (!airline) {
    return res.status(401).json({ error: "Invalid API key" });
  }

  // Attach to locals for downstream handlers
  res.locals.airline = airline;
  res.locals.safeAirline = safeAirline(airline);

  return next();
}

Making Authenticated Requests

Required Header

x-api-key
string
required
Your airline’s unique API token. This is generated when your airline is created in the database.

Example Request

curl -X GET https://api.skyteam.dev/airline \
  -H "x-api-key: clh1234567890abcdefghijk"

fetch('https://api.skyteam.dev/airline', {
  headers: {
    'x-api-key': 'clh1234567890abcdefghijk'
  }
})
.then(res => res.json())
.then(data => console.log(data));

Error Responses

Missing API Key

Status: 401 Unauthorized 
{
  "error": "Missing x-api-key header"
}

Invalid API Key

Status: 401 Unauthorized 
{
  "error": "Invalid API key"
}

Token Security

Keep your API key secure! Never expose it in client-side code or public repositories.
  • API keys should be stored as environment variables
  • Tokens are stored in the airlines.token database column
  • The safeAirline helper (defined in middleware/auth.ts:4) strips the token from airline objects before returning them to clients

Protected Endpoints

All endpoints require authentication except:
  • GET /health - Public health check endpoint

Token in Response Data

When airline data is returned in API responses, the token is automatically removed using the safeAirline helper function: 
export function safeAirline<T extends { token?: string }>(airline: T) {
  const { token, ...safe } = airline as any;
  return safe;
}
This ensures tokens are never accidentally exposed in API responses.

Build docs developers (and LLMs) love

Get started for freeTalk to us