REST API
API Overview
Common conventions, response format, and error codes
Base URL
https://api.winnova.pro/api/ext/v1Response Format
All responses follow this structure:
{
"success": true,
"data": { ... }
}Error responses:
{
"success": false,
"error": "error message"
}HTTP Status Codes
| Code | Description |
|---|---|
200 | Success |
400 | Bad Request — invalid parameters |
401 | Unauthorized — missing or invalid API Key |
403 | Forbidden — insufficient scope or IP not whitelisted |
404 | Not Found |
429 | Rate Limit Exceeded |
500 | Internal Server Error |
Pagination
List endpoints support cursor-based pagination:
| Parameter | Type | Description |
|---|---|---|
limit | integer | Items per page (default: 20, max: 100) |
offset | integer | Number of items to skip |
Content Type
- Request body:
application/json - Response body:
application/json
Quickstart Example
A complete signed request to list active NBA events:
API_KEY="po_live_your_api_key"
API_SECRET="your_api_secret"
TIMESTAMP=$(date +%s%3N) # milliseconds
NONCE=$(openssl rand -hex 16) # unique per request
PATH="/api/ext/v1/events?league=nba&status=active"
# SHA-256 of empty body for GET requests
BODY_HASH=$(echo -n "" | openssl dgst -sha256 -hex | awk '{print $NF}')
# Signing string: METHOD\nPATH\nTIMESTAMP\nNONCE\nSHA256(BODY)
SIGNING_STRING="GET\n${PATH}\n${TIMESTAMP}\n${NONCE}\n${BODY_HASH}"
# HMAC-SHA256 of the full signing string
SIGNATURE=$(echo -ne "$SIGNING_STRING" | openssl dgst -sha256 -hmac "$API_SECRET" -hex | awk '{print $NF}')
curl -s "https://api.winnova.pro${PATH}" \
-H "X-API-KEY: $API_KEY" \
-H "X-API-TIMESTAMP: $TIMESTAMP" \
-H "X-API-SIGNATURE: $SIGNATURE" \
-H "X-API-NONCE: $NONCE"