PlayerAnalytics — Stats Embed API (Developer Guide)

PlayerAnalytics gives every server owner a Stats Embed Key: a read-only key your web developer can use to pull your server's public stats and show them on your website, Discord widget, or anywhere else.

It returns the same stats a player sees on your public server page — player counts, leaderboards, play-style breakdowns, who's online. Private admin metrics are never exposed. This guide is written for the developer doing the integration.

What you'll need

Ask the server owner for two things, both found in their dashboard under Server Settings → Stats Embed Key:

The Stats Embed Key — a value beginning with pas_. It's shown once when generated; the owner copies it to you.
The endpoint URL — shown right beside the key in the dashboard. It looks like https://api.playeranalytics.org/api/servers/<id>/stats and already contains the server's ID.

That's it — no account, OAuth, or SDK required. Authentication is a single HTTP header.

⚠ The one rule: use the key from your server, not the browser Put the key in your back-end / server-side code (or an environment variable) — never in client-side JavaScript or page source. Browser requests to the API are blocked by design, and a key pasted into front-end code is visible to anyone. The pattern below shows the correct approach: your server calls the API, then serves the result to your page.

How it works

Your back-end makes a GET request to the stats endpoint, sending the key in an X-API-Key header.
You cache the response briefly (the data updates about once a minute).
Your front-end reads the cached data from your server and renders it — no key ever reaches the browser.

Authentication

Send the key as an X-API-Key request header on every call:

# Quick test from your terminal
curl -H "X-API-Key: pas_your_key_here" \
  https://api.playeranalytics.org/api/servers/<id>/stats

Available data

All endpoints are GET requests under https://api.playeranalytics.org/api/servers/<id>/ using the same header:

Endpoint	Returns
/stats	Headline numbers — players tracked, sessions, kills, deaths, average session length, play-style mix
/players	Player roster & leaderboard (paginated)
/playtime	Most-played leaderboard
/online	Who's online right now
/progression	SkillTree levels & Mercenary ranks
/marksmanship	Headshot & long-shot leaderboards

Example response — `/stats`

{
  "server_name": "Your Server",
  "stats": {
    "total_players": 1240,
    "total_sessions": 8300,
    "total_deaths": 5100,
    "pvp_deaths": 2600,
    "npc_deaths": 2500,
    "avg_session_min": 64.2
  }
}

Example: a small back-end proxy

The cleanest setup is a tiny endpoint on your own server that holds the key, calls PlayerAnalytics, caches the result, and returns it to your front-end. Here's a Cloudflare Worker version — the same idea works in Node/Express, a Next.js API route, PHP, Python, etc.

// The key lives in a Worker secret, never in client code:
//   wrangler secret put PA_KEY
export default {
  async fetch(req, env) {
    const r = await fetch(
      "https://api.playeranalytics.org/api/servers/<id>/stats",
      { headers: { "X-API-Key": env.PA_KEY }, cf: { cacheTtl: 60 } }
    );
    return new Response(await r.text(), {
      status: r.status,
      headers: {
        "Content-Type": "application/json",
        "Access-Control-Allow-Origin": "*",   // your own site can read it
        "Cache-Control": "public, max-age=60"
      }
    });
  }
};

Node / Express equivalent:

app.get("/server-stats", async (req, res) => {
  const r = await fetch(
    "https://api.playeranalytics.org/api/servers/<id>/stats",
    { headers: { "X-API-Key": process.env.PA_KEY } }
  );
  res.set("Cache-Control", "public, max-age=60");
  res.status(r.status).json(await r.json());
});

Your page then fetches from your own route (same origin, no key exposed):

const data = await fetch("/server-stats").then(r => r.json());
document.querySelector("#players").textContent = data.stats.total_players;

Caching

The underlying data refreshes roughly once a minute, so caching each response for 30–60 seconds is plenty. It keeps your site fast and avoids unnecessary requests.

Response codes

Code	Meaning
200	Success — JSON body as shown above.
401	Missing or invalid key. If it worked before, the owner may have rotated it — ask for the new key.
402	The server's PlayerAnalytics subscription is inactive. Handle this gracefully (e.g. hide the widget) until it's active again.
403	That data isn't available with an embed key (it only exposes public, player-facing stats).

Rotating or disabling a key

The owner controls the key from Server Settings → Stats Embed Key. They can Rotate it (the old key stops working immediately — update your stored value) or Disable it entirely. Each server has its own key; a key only works for that one server.

Good to know The Stats Embed Key is read-only. It can display stats but can never change server settings, post data, or affect the game server in any way — so it's safe to hand to a developer for a website build.

Questions? Reach us at [email protected].

What you'll need

How it works

Authentication

Available data

Example response — /stats

Example: a small back-end proxy

Caching

Response codes

Rotating or disabling a key

Example response — `/stats`