Summary
public/openapi.json declares 7 paths that the live sharp-api-go backend does not implement. Customers — including the new RapidAPI marketplace listing — hit 404 on these endpoints despite their being documented in our spec.
Discovered while sweeping the RapidAPI listing's exposed endpoint set on 2026-05-03 (see wiki/operations/2026-05-03 RapidAPI Marketplace Key Mint.md).
Phantom routes
| Path |
Method |
Live backend response |
/account |
GET |
{"message":"Endpoint '/account' does not exist"} |
/account/keys |
GET |
same |
/account/keys |
POST |
same |
/account/usage |
GET |
same |
/account/keys/{keyId} |
DELETE |
(untested but parent missing) |
/account/keys/{keyId}/rotate |
POST |
(untested but parent missing) |
/sports/{sportId} |
GET |
404 page not found (no JSON envelope — bare Go ServeMux 404) |
/sportsbooks/{bookId} |
GET |
404 page not found (same) |
/stream may also be misrouted — backend returned Endpoint '/stream' does not exist to a plain GET, but it should serve SSE on /api/v1/stream with Accept: text/event-stream. Worth confirming the route is actually mounted.
Reproduction
Free-tier X-API-Key against live origin (works for the same keys that do succeed on /odds, /sports, etc.):
```bash
source /root/sharpapi.io/.env
for p in /api/v1/account /api/v1/account/usage /api/v1/sportsbooks/draftkings /api/v1/sports/basketball_nba; do
curl -sS -o /dev/null -w "%{http_code} %{url_effective}\n"
"https://api.sharpapi.io\$p" -H "X-API-Key: $SHARPAPI_KEY"
done
```
Full sweep of all 37 declared paths via the RapidAPI proxy: results at /shared-tmp/rapidapi-endpoint-test-results.txt on the dev server (192.168.4.151).
Fix options
Two independent calls. Pick per-route:
A. Implement in sharp-api-go (recommended for /account/*)
The /account/* namespace is the most user-facing miss — would let customers see usage / rotate keys without going through the marketing-site dashboard. sharp-api-go already has authMiddleware + Unkey integration, so wiring /account/usage (read key.lastUsedAt + month-to-date counter from Valkey) and /account/keys/{keyId} (delete via Unkey keys.deleteKey) is a small handler.
B. Remove from spec (recommended for /sports/{sportId}, /sportsbooks/{bookId})
Probably never had real implementations — spec authored speculatively. List endpoints (/sports, /sportsbooks) already cover the use case. Strip the path-param singular endpoints from public/openapi.json.
Why it matters
- RapidAPI marketplace listing (published 2026-05-03) currently has
getSportsbook and getSport hidden manually as a workaround — if we re-import the spec on a future revision, they reappear.
- Any customer browsing
docs.sharpapi.io sees these endpoints and may try to call them.
- Generated SDKs (
sharpapi-python, sharpapi-ts) likely include broken methods for the phantom routes; check.
Cross-repo
- Spec lives here:
Mlaz-code/docs.sharpapi.io/public/openapi.json
- Implementation would live in:
Mlaz-code/sharp-api-go (handlers + route registration in mux.HandleFunc block)
- SDK regen:
Sharp-API/sharpapi-python, Sharp-API/sharpapi-ts (matrix gates + OIDC publish — see sharp-api-go/docs/DEPLOY.md)
Summary
public/openapi.jsondeclares 7 paths that the livesharp-api-gobackend does not implement. Customers — including the new RapidAPI marketplace listing — hit 404 on these endpoints despite their being documented in our spec.Discovered while sweeping the RapidAPI listing's exposed endpoint set on 2026-05-03 (see
wiki/operations/2026-05-03 RapidAPI Marketplace Key Mint.md).Phantom routes
/account{"message":"Endpoint '/account' does not exist"}/account/keys/account/keys/account/usage/account/keys/{keyId}/account/keys/{keyId}/rotate/sports/{sportId}404 page not found(no JSON envelope — bare Go ServeMux 404)/sportsbooks/{bookId}404 page not found(same)/streammay also be misrouted — backend returnedEndpoint '/stream' does not existto a plain GET, but it should serve SSE on/api/v1/streamwithAccept: text/event-stream. Worth confirming the route is actually mounted.Reproduction
Free-tier
X-API-Keyagainst live origin (works for the same keys that do succeed on/odds,/sports, etc.):```bash
source /root/sharpapi.io/.env
for p in /api/v1/account /api/v1/account/usage /api/v1/sportsbooks/draftkings /api/v1/sports/basketball_nba; do
curl -sS -o /dev/null -w "%{http_code} %{url_effective}\n"
"https://api.sharpapi.io\$p" -H "X-API-Key: $SHARPAPI_KEY"
done
```
Full sweep of all 37 declared paths via the RapidAPI proxy: results at
/shared-tmp/rapidapi-endpoint-test-results.txton the dev server (192.168.4.151).Fix options
Two independent calls. Pick per-route:
A. Implement in
sharp-api-go(recommended for/account/*)The
/account/*namespace is the most user-facing miss — would let customers see usage / rotate keys without going through the marketing-site dashboard.sharp-api-goalready hasauthMiddleware+ Unkey integration, so wiring/account/usage(readkey.lastUsedAt+ month-to-date counter from Valkey) and/account/keys/{keyId}(delete via Unkeykeys.deleteKey) is a small handler.B. Remove from spec (recommended for
/sports/{sportId},/sportsbooks/{bookId})Probably never had real implementations — spec authored speculatively. List endpoints (
/sports,/sportsbooks) already cover the use case. Strip the path-param singular endpoints frompublic/openapi.json.Why it matters
getSportsbookandgetSporthidden manually as a workaround — if we re-import the spec on a future revision, they reappear.docs.sharpapi.iosees these endpoints and may try to call them.sharpapi-python,sharpapi-ts) likely include broken methods for the phantom routes; check.Cross-repo
Mlaz-code/docs.sharpapi.io/public/openapi.jsonMlaz-code/sharp-api-go(handlers + route registration inmux.HandleFuncblock)Sharp-API/sharpapi-python,Sharp-API/sharpapi-ts(matrix gates + OIDC publish — seesharp-api-go/docs/DEPLOY.md)