Authentication#

All API requests require a valid API key sent as a Bearer token.

Header format#

Authorization: Bearer hpx_your_api_key

Getting your API key#

1. Sign in to the dashboard.
2. Create a new API key.
3. Copy the key — it's only shown once.

What the API checks#

When you make a request, the API verifies:

1. Valid key — the key exists and hasn't been revoked.
2. Active subscription — your account has an active or trialing subscription (canceled subscriptions work until the period ends).

If any check fails, you'll get a 401, 402, or 403 error. See Errors for details.

Security best practices#

• Store keys in environment variables — never hardcode them.
• Never expose keys in client-side code — mint URLs server-side only.
• Don't commit keys to version control — use .env files and add them to .gitignore.
• Rotate keys periodically — revoke old keys from the dashboard.
• Use separate keys for development and production — makes rotation and auditing easier.