Skip to main content
This page is for customer admins and owners who need to get builders unblocked fast. You will learn where to create a Sports MCP Server key in the portal, how to name and govern keys by environment, and when CORS should or should not be enabled. The fastest path is:
  1. Open Sports MCP Server in the customer portal.
  2. Go to the API tab.
  3. Create a key for the environment or app you are launching.
  4. Add a CORS origin only if you have a reviewed browser-based use case.

What This Page Helps You Do

  • create a product-scoped key without waiting on support
  • hand the right credential to the right team or environment
  • keep production keys off the browser unless the risk is understood
  • allow controlled browser access for specific origins when required

Portal Path

TaskPortal location
Create a keyProducts -> Sports MCP Server -> API -> Create API Key
Delete a keyProducts -> Sports MCP Server -> API -> Keys
Review CORS originsProducts -> Sports MCP Server -> API -> CORS Origins

Product-Scoped Keys

Sports MCP Server keys are product-scoped. A key created for sports-mcp-server works only against that product. That gives customer teams two important controls:
  • builders get only the access they need for this product
  • a key from another product cannot be reused here by accident
Key patternWhy it helps
sports-mcp-server-dev-assistantisolates local or sandbox work
sports-mcp-server-staging-agentkeeps pre-production traffic separate
sports-mcp-server-prod-scoreboardlets you attribute usage to a real customer-facing surface
sports-mcp-server-prod-editorialseparates internal tooling from public experiences

Create an API Key

  1. Open the API tab for Sports MCP Server.
  2. Select Create API Key.
  3. Enter a clear name that matches an environment or product surface.
  4. Copy the full secret immediately.
Important:
  • the full key value is shown only once
  • builders should store it in a secure secret manager
  • if a key is lost, create a new one instead of expecting retrieval

What To Hand Off To Developers

Give implementers these four pieces of information:
  • product: sports-mcp-server
  • endpoint: https://sports-mcp-server.etonecarg.com/
  • auth pattern: Authorization: Bearer <API_KEY>
  • docs starting point: Quickstart

CORS Origins

The CORS Origins section exists for browser-based scenarios, but it should be used carefully. Gracenote recommends proxying Sports MCP Server calls through your backend whenever possible. That keeps the API key off the client, gives you a place for request shaping and logging, and avoids leaking a production credential into frontend code.

CORS Rules

RuleCurrent behavior
Max origins50 per organization per product
Production schemehttps:// required
Local developmenthttp://localhost and http://127.0.0.1 allowed
Paths, queries, fragmentsnot allowed
Valid examples: 
https://app.example.com
https://sports.example.com
http://localhost:3000
Invalid examples: 
https://app.example.com/dashboard
https://app.example.com?env=prod
http://app.example.com

When To Allow Browser Access

Allow browser access only when all three are true:
  1. the use case genuinely requires direct browser requests
  2. the allowed origin list is narrow and controlled
  3. the team has reviewed how the key will be stored, rotated, and monitored
If any of those are unclear, use a backend proxy instead.

Common Mistakes

  • creating one shared key for every environment and every app
  • using a generic name that makes usage attribution impossible later
  • expecting the portal to show the full secret again after creation
  • adding broad browser origins before the product has a real need for them

Next Step

If the key is ready, move to Quickstart. If you are planning production controls, continue to Usage, Billing, Exports, and Users.