Back to Docs
Authentication
API Keys
All API requests require a valid API key in the Authorization header.
Key format
API keys follow the format hg_.... The prefix indicates a secret key — never expose it in client-side code.
Authorization: Bearer hg_sk_live_abc123def456Best practices
- Store API keys in environment variables, never in source code.
- Use different keys for development, staging, and production.
- Rotate keys regularly and revoke unused keys immediately.
- Monitor API key usage in the dashboard for anomalous activity.
Error responses
| Status | Code | Description |
|---|---|---|
| 401 | invalid_api_key | The API key is missing, malformed, or revoked. |
| 403 | insufficient_permissions | The API key does not have permission for this resource. |
| 429 | rate_limit_exceeded | Too many requests. Wait and retry. |