PREMIUM API KEYS

TFCL PLAY · API KEYS

Service-to-service bearer authentication for TFCL Premium members. Issue a key on /premium, paste the Authorization header into your service, and you can drive provisioning, scheduling, and map uploads from any language that can make an HTTP request.

QUICK REFERENCE
HEADER Authorization: Bearer tfcl_pk_<43 chars>
BASE https://play.tfcleague.com
RATE 60 requests / minute / key - 429 with Retry-After on overrun.
AVAILABLE ENDPOINTS (BEARER)

All routes below also accept a session cookie. The bearer header lets you call them from your own service / bot / dashboard without scraping the Steam login flow.

GET /api/servers
List reservations (the authenticated account's own servers).
POST /api/servers
Provision a new TFCL premium server (region + map + config).
GET /api/servers/:id
Reservation detail including connect IP / RCON (owner or admin).
DELETE /api/servers/:id
Destroy a reservation early (owner or admin).
POST /api/servers/schedule
Schedule a future-dated provision (Premium-only).
DELETE /api/servers/scheduled/:id
Cancel a scheduled reservation (owner).
GET /api/servers/scheduled/mine
List scheduled reservations for the caller.
POST /api/maps/upload
Upload a .bsp to maps.tfcleague.com (Premium-only - 95MB cap).
DELETE /api/maps/:id
Remove a map (uploader or admin).
EXAMPLE · PROVISION A SERVER

Provision a premium server in Frankfurt, CP Process, with the RGL config preset - one POST, no scraping.

curl -X POST "https://play.tfcleague.com/api/servers"  -H "Authorization: Bearer tfcl_pk_YOUR_KEY_HERE"  -H "Content-Type: application/json"  -d '{
 "region": "fra",
 "map": "cp_process_f12",
 "config_preset": "rgl",
 "rcon_password": "your-strong-password"
 }'

The response is the same shape any logged-in browser session gets - a row of the reservation table including connect IP and RCON once Vultr has provisioned.

KEY LIFECYCLE
  • Create on /premium → raw key shown once (save it then).
  • Storage is SHA-256 only - TFCL cannot recover a lost raw key.
  • Auto-stop when TFCL Premium lapses - no manual cleanup needed.
  • Revoke manually any time on /premium or via DELETE /api/premium/api-keys/:id.
SECURITY MODEL
  • Bearer key in Authorization header - never in URLs (they end up in logs).
  • Key format: tfcl_pk_<43 base64url chars> - 256 bits of CSPRNG entropy.
  • Constant-time-ish SHA-256 lookup on the auth path - no timing oracle.
  • Per-key audit log (endpoint, method, hashed IP, status) - visible to the owner in the /premium card. Admins see all keys.
  • Prefix tfcl_pk_ = premium-scope (auto-stops on lapse). Prefix tfcl_ak_ = admin-scope (requires is_admin = 1).
SELF-SERVICE · /api/premium/api-keys
POST /api/premium/api-keys
Body: {"label":"Stats dashboard"} (optional nickname). Response includes raw_key shown exactly once.
GET /api/premium/api-keys
List the caller's own keys (no hashes) plus the last 20 audit rows per key.
DELETE /api/premium/api-keys/:id
Revoke the caller's own key. Admins can revoke anyone's key via DELETE /api/admin/api-keys/:id.
COMMON STATUS CODES
  • 200Authenticated request succeeded.
  • 201Provisioning or upload completed.
  • 401No valid bearer key (and no session cookie, for endpoints that also accept cookies).
  • 403Bearer key valid but bound account has lapsed TFCL Premium, isn't admin for an admin-scoped key, or the route's RBAC rule failed.
  • 429Rate limit exceeded - check Retry-After header for cooldown.