Authentication

All API requests require authentication via Bearer token in the Authorization header.

Bearer Token

Include your API key in every request as a Bearer token:

Authorization: Bearer hc_live_abc123...

API Key Types

●

Live Keys hc_live_

Production keys with real data. Count toward your rate limit.

●

Test Keys hc_test_

Sandbox keys with mock data. Do not count toward limits.

Security Best Practices

→Never expose API keys in client-side code or public repositories
→Use environment variables to store keys
→Rotate keys periodically — you can generate new keys from your dashboard
→Use the minimum permission scope required for your integration
→Monitor your usage dashboard for unexpected spikes

Error Responses

// 401 Unauthorized — Missing or invalid key
{
  "error": "invalid_api_key",
  "message": "The API key provided is invalid or expired.",
  "status": 401
}

// 403 Forbidden — Key lacks permission
{
  "error": "insufficient_scope",
  "message": "This key does not have access to the Compliance API.",
  "status": 403
}