API Keys

API keys provide programmatic access to the hookstream API. Keys are shown in plaintext only once at creation time — hookstream stores a SHA-256 hash internally and cannot recover a key after creation.

API key management endpoints require session authentication (you must be logged in to the dashboard). You cannot create or revoke API keys using another API key.

Create API Key

POST /v1/auth/api-keys

Create a new API key. The plaintext key is returned only in this response.

Authentication: Session cookie.

Body Parameters

bash
curl -X POST https://hookstream.io/v1/auth/api-keys \
  -H "Content-Type: application/json" \
  --cookie "session=..." \
  -d '{"name": "Production Backend"}'

json
{
  "id": "ak_8f3a1b2c4d5e6f7a",
  "name": "Production Backend",
  "key": "hs_live_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
  "key_prefix": "hs_live_a1b2",
  "scopes": null,
  "created_at": "2026-03-01T12:00:00Z"
}

Save the key value immediately. hookstream stores only the SHA-256 hash and cannot retrieve it later.

List API Keys

GET /v1/auth/api-keys

List all API keys for the authenticated user. Keys are masked — only the prefix is shown.

Authentication: Session cookie.

bash
curl https://hookstream.io/v1/auth/api-keys \
  --cookie "session=..."

json
{
  "api_keys": [
    {
      "id": "ak_8f3a1b2c4d5e6f7a",
      "name": "Production Backend",
      "key_prefix": "hs_live_a1b2",
      "scopes": null,
      "request_count": 142,
      "revoked": 0,
      "created_at": "2026-03-01T12:00:00Z",
      "last_used_at": "2026-03-01T14:30:00Z"
    }
  ]
}

Response Fields

Revoke API Key

DELETE /v1/auth/api-keys/:id

Revoke an API key. The key is immediately invalidated and cannot be recovered.

Authentication: Session cookie.

bash
curl -X DELETE https://hookstream.io/v1/auth/api-keys/ak_8f3a1b2c4d5e6f7a \
  --cookie "session=..."

json
{ "success": true }

Related