API Keys
Generate and manage API keys for external integrations
API keys allow external tools, bots, or scripts to interact with your server through the WardenCore HTTP API. For example, you might use an API key to connect a custom stats dashboard, a Discord bot, or an automated moderation script.
API key management is found under Settings > API in the panel sidebar.
Generating a New Key
Open the API page
Expand the Settings section in the sidebar and click API.
Enter a key name
In the Key Name field, type a descriptive name for this key. Use something that identifies what the key is for -- for example, "Discord Bot", "Stats Dashboard", or "Backup Script".
Select permissions
Choose which permissions this key should have by checking the boxes:
- Read -- can query data (players, stats, server info)
- Write -- can perform actions (send commands, messages)
- Admin -- full access including admin management
At least one permission must be selected. If none are checked, Read is selected automatically.
Click "Generate"
Click the Generate button. The new key appears in a green highlighted box below the form.
Copy the key immediately. It will not be shown again after you navigate away or refresh the page. The key list only shows a masked version for security.
Save your key now
The full API key is only displayed once, immediately after generation. If you lose it, you cannot retrieve it. You will need to delete the old key and generate a new one.
Principle of least privilege
Always use the minimum permissions needed. A stats dashboard only needs Read access. A Discord bot that sends commands needs Read and Write. Only grant Admin if the tool genuinely needs to manage admins or configuration.
Deleting a Key
To delete a key, click the Delete button on its row. Once confirmed, the key is permanently revoked.
Using API Keys
To authenticate with an API key, include it in the request header:
X-API-Key: your-api-key-hereAlways use HTTPS when sending API keys. Sending keys over plain HTTP exposes them in transit.
Steam API Key
The API settings page also includes a Steam API card. This is a separate configuration for the Steam Web API, which WardenCore uses to fetch VAC ban history, game ban status, and playtime hours for player profiles.
Get a Steam API key
Visit the Steam Developer Portal and register for a free API key. You need a Steam account with a verified email.
Enter the key
Paste the key into the input field in the Steam API card and click Save.
Verify
Once saved, the card shows a "Configured" badge with a masked version of your key. Player profiles will now show Steam data including VAC/game ban status and hours played.
To remove the Steam API key, click the Remove button. Player profiles will no longer display Steam-specific data, but the panel continues to work normally.
Common Issues
Lost API key
If you lost or forgot a key, you cannot retrieve it. Delete the old key and generate a new one with the same name and permissions. Update the key in whatever tool or script was using it.
API returns 401 Unauthorized
The key is either incorrect, deleted, or not being sent properly. Double-check that:
- The key value is copied exactly, with no extra spaces
- You are sending the key in the
X-API-Keyheader - The key has not been deleted from the panel
API returns 403 Forbidden
The key is valid but does not have permission for the requested action. For example, a key with only Read permission cannot send commands (a Write action). Generate a new key with the required permissions, or add the missing permission scope.
Steam data not showing in player profiles
If player profiles show "API key not configured" in the Steam section, the Steam Web API key has not been set. Go to Settings > API and configure it in the Steam API card.