Status: Stable.

Authentication

More Rewards authenticates public API requests using one API key set per club.

Club API keys

Each club receives its own:

• keyId
• signing secret
• environment (sandbox or live)
• credential status

The key identifies the club, so public API requests do not need clubId. If a request includes a clubId, it must match the authenticated club or it is rejected.

The current credential states are:

• active
• rotated
• revoked

Only active credentials are accepted.

Required headers

Every request requires:

X-MR-Key-Id: club_sbx_example
X-MR-Timestamp: 2026-03-25T09:00:00Z
X-MR-Signature: v1=<hex_hmac_sha256>

Every POST also requires:

X-MR-Idempotency-Key: unique-request-key

Timestamp rules

Requests are rejected when the timestamp is outside a 5 minute window.

Accepted formats:

• ISO-8601 timestamp
• Unix epoch timestamp in milliseconds

ISO-8601 is recommended.

Credential checks

More Rewards:

1. resolves X-MR-Key-Id
2. checks the credential is active
3. checks the credential matches the API environment
4. recomputes the HMAC signature
5. requires an idempotency key for POST
6. resolves the club from the key

Standard auth failure response

{
  "ok": false,
  "error": {
    "code": "unauthorized",
    "message": "Partner credential is missing or inactive",
    "retryable": false
  }
}

Other auth-layer error codes:

• invalid_signature
• stale_timestamp
• invalid_request

Notes

• Use sandbox keys only with sandbox URLs.
• Use live keys only with live URLs.
• Store signing secrets server-side only.
• Treat signature failures as hard failures until the signer is fixed.