wiki / api and mcp

api authentication and bearer keys

the public api uses scoped bearer keys. integrations should send the key in the authorization header and keep the raw key outside documents, prompts, and client-side code.

updated may 3, 2026 api and mcp no images
quick answer

send `authorization: bearer hyv_live_...` from a backend, local agent, or secret manager, never from a public browser bundle.

use this for

  • setting up a server-side integration
  • connecting an ai agent to the rest api
  • explaining why api keys are only shown once

steps

  1. open the api keys page in the app.
  2. create a key for one integration.
  3. copy the raw key when it is shown.
  4. store it as a secret such as `HYV_API_KEY`.
  5. send requests with `authorization: bearer <key>`.
  6. revoke the key when the integration should stop working.

details to know

  • live keys use the `hyv_live_` prefix followed by generated lowercase hex characters.
  • the api stores a hash of the key, not the raw key.
  • last-used metadata is updated when a key is accepted.
  • one account can keep multiple keys so each agent or backend can be revoked separately.

limits and edge cases

  • do not paste live keys into chat, public docs, wiki pages, or browser javascript.
  • accounts have an active-key cap. revoke old keys before creating more.
  • a missing, malformed, revoked, or expired key returns an authentication error.

related pages

ready to use the product instead of reading about it? open app