feat(auth): support Bearer token alongside X-API-Key

Add an optional `authMethod` field to `SharpAPIConfig` accepting
`'x-api-key'` (default) or `'bearer'`. When `'bearer'` is selected the
HTTP client sends `Authorization: Bearer <apiKey>` on REST requests
instead of the historical `X-API-Key: <apiKey>` header.

Use cases:
- Customers fronting the API behind IAM / SSO layers that expect a
 standard `Authorization` header.
- Corporate proxies and API gateways that strip non-standard
 `X-*` headers but pass `Authorization` through untouched.

Back-compat: the `apiKey` constructor argument is unchanged and the
default auth method remains `'x-api-key'`, so existing callers see no
behavioural change.

SSE and WebSocket transports are intentionally unaffected — they
already pass the key as the `?api_key=` query parameter because
browsers cannot set custom headers on `EventSource` or `WebSocket`
connections.

Bumps version 0.2.4 → 0.2.5 (additive public API surface).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Mlaz-code

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sharp-api/client",
-  "version": "0.2.4",
+  "version": "0.2.5",
   "description": "Official TypeScript/JavaScript client for the SharpAPI real-time sports betting odds API",
   "type": "module",
   "main": "./dist/index.cjs",

src/index.ts

@@ -27,18 +27,46 @@
 // Configuration
 // =============================================================================
 
+/**
+ * How the SDK presents the API key on REST requests.
+ *
+ * - `'x-api-key'` (default): sends `X-API-Key: <apiKey>`. Matches the
+ *   historical behaviour of the SDK and is the recommended choice for
+ *   most users.
+ * - `'bearer'`: sends `Authorization: Bearer <apiKey>` instead. Use this
+ *   when the request travels through an IAM / SSO layer or an API
+ *   gateway / corporate proxy that strips custom headers (`X-*`) but
+ *   preserves the standard `Authorization` header.
+ *
+ * SSE and WebSocket auth are unaffected by this setting — those
+ * transports always pass the key as the `?api_key=` query parameter
+ * because browsers cannot set custom headers on `EventSource` or
+ * `WebSocket` connections.
+ */
+export type AuthMethod = 'x-api-key' | 'bearer'
+
 export interface SharpAPIConfig {
   /** API key (sk_xxx format) */
   apiKey: string
   /** Base URL (default: https://api.sharpapi.io) */
   baseUrl?: string
   /** Request timeout in ms (default: 30000) */
   timeout?: number
+  /**
+   * Auth header to use on REST requests (default: `'x-api-key'`).
+   *
+   * Set to `'bearer'` to send `Authorization: Bearer <apiKey>` instead
+   * of `X-API-Key: <apiKey>` — useful behind IAM / SSO layers and API
+   * gateways that strip non-standard headers. SSE and WebSocket
+   * transports are unaffected (they always use `?api_key=` query).
+   */
+  authMethod?: AuthMethod
 }
 
 const DEFAULT_CONFIG = {
   baseUrl: 'https://api.sharpapi.io',
   timeout: 30000,
+  authMethod: 'x-api-key' as AuthMethod,
 }
 
 // =============================================================================
@@ -536,11 +564,13 @@ class HttpClient {
   private _apiKey: string
   private baseUrl: string
   private timeout: number
+  private authMethod: AuthMethod
 
   constructor(config: SharpAPIConfig) {
     this._apiKey = config.apiKey
     this.baseUrl = config.baseUrl || DEFAULT_CONFIG.baseUrl
     this.timeout = config.timeout || DEFAULT_CONFIG.timeout
+    this.authMethod = config.authMethod || DEFAULT_CONFIG.authMethod
   }
 
   /** Exposed for StreamResource — SSE URL requires the key as a query param. */
@@ -573,10 +603,14 @@ class HttpClient {
     params?: Record<string, unknown>,
   ): Promise<T> {
     const url = this.buildUrl(path, params)
+    const authHeaders: Record<string, string> =
+      this.authMethod === 'bearer'
+        ? { Authorization: `Bearer ${this.apiKey}` }
+        : { 'X-API-Key': this.apiKey }
     const init: RequestInit = {
       method,
       headers: {
-        'X-API-Key': this.apiKey,
+        ...authHeaders,
         'Content-Type': 'application/json',
       },
     }

tests/client.test.ts

@@ -306,6 +306,33 @@ describe('OddsResource', () => {
     const calledOptions = (globalThis.fetch as ReturnType<typeof vi.fn>).mock
       .calls[0][1] as RequestInit
     expect(calledOptions.headers).toHaveProperty('X-API-Key', 'sk_test_MY_KEY')
+    expect(calledOptions.headers).not.toHaveProperty('Authorization')
+  })
+
+  it('sends Bearer token when authMethod is "bearer"', async () => {
+    globalThis.fetch = mockFetch(ODDS_RESPONSE)
+    const api = new SharpAPI('sk_test_MY_KEY', { authMethod: 'bearer' })
+
+    await api.odds.get()
+
+    const calledOptions = (globalThis.fetch as ReturnType<typeof vi.fn>).mock
+      .calls[0][1] as RequestInit
+    expect(calledOptions.headers).toHaveProperty(
+      'Authorization',
+      'Bearer sk_test_MY_KEY',
+    )
+    expect(calledOptions.headers).not.toHaveProperty('X-API-Key')
+  })
+
+  it('defaults to X-API-Key when authMethod omitted', async () => {
+    globalThis.fetch = mockFetch(ODDS_RESPONSE)
+    const api = new SharpAPI('sk_test_DEFAULT')
+
+    await api.odds.get()
+
+    const calledOptions = (globalThis.fetch as ReturnType<typeof vi.fn>).mock
+      .calls[0][1] as RequestInit
+    expect(calledOptions.headers).toHaveProperty('X-API-Key', 'sk_test_DEFAULT')
   })
 
   it('fetches best odds', async () => {