Hyperfold AI

API Authentication

Secure your API requests with API keys, OAuth 2.0, or service accounts.

Overview

Hyperfold supports multiple authentication methods to suit different use cases:

MethodUse CaseSecurity
API KeysServer-side integrations, scriptsLong-lived, revocable
OAuth 2.0User-facing apps, third-party integrationsShort-lived tokens, scoped
Service AccountsAutomated services, CI/CD pipelinesJWT-based, no user context

API Keys

API keys are the simplest authentication method for server-side integrations:

bash
1
2
3
4
5
6
7
8
9
10
11
12
# Authenticate with API key
curl -X GET https://api.hyperfold.io/v1/catalog/products \
  -H "Authorization: Bearer hf_live_abc123xyz"
 
# Or use X-API-Key header
curl -X GET https://api.hyperfold.io/v1/catalog/products \
  -H "X-API-Key: hf_live_abc123xyz"
 
# Include project ID for multi-project accounts
curl -X GET https://api.hyperfold.io/v1/catalog/products \
  -H "Authorization: Bearer hf_live_abc123xyz" \
  -H "X-Project-ID: proj_acme"

Managing API Keys

bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Create API key via CLI
$ hyperfold auth create-key --name="Production API" --scopes=catalog:read,catalog:write
 
API KEY CREATED
  Name:         Production API
  Key:          hf_live_abc123xyz...
  Scopes:       catalog:read, catalog:write
  Created:      2025-01-20T10:00:00Z
 
⚠ Save this key securely - it won't be shown again.
 
# List API keys
$ hyperfold auth list-keys
 
API KEYS
 
NAME              SCOPES                      LAST USED        STATUS
Production API    catalog:read,write          2 min ago        active
CI/CD Pipeline    agents:deploy               1 hour ago       active
Analytics         analytics:read              3 days ago       active
 
# Revoke API key
$ hyperfold auth revoke-key hf_live_abc123xyz
 
✓ API key revoked
Never expose API keys in client-side code or commit them to version control. Use environment variables or secret management systems.

Key Types

PrefixEnvironmentUsage
hf_live_ProductionLive transactions, real data
hf_test_SandboxTesting, development
hf_restricted_EitherLimited scope, public-safe

OAuth 2.0

Use OAuth 2.0 for applications that act on behalf of users:

bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# OAuth 2.0 Authorization Code Flow
 
# Step 1: Redirect user to authorization URL
https://auth.hyperfold.io/authorize?
  client_id=your_client_id&
  redirect_uri=https://yourapp.com/callback&
  response_type=code&
  scope=catalog:read%20agents:read&
  state=random_state_string
 
# Step 2: Exchange code for tokens
curl -X POST https://auth.hyperfold.io/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "code=AUTH_CODE_FROM_CALLBACK" \
  -d "client_id=your_client_id" \
  -d "client_secret=your_client_secret" \
  -d "redirect_uri=https://yourapp.com/callback"
 
# Response
{
  "access_token": "hf_oauth_xyz...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "hf_refresh_abc...",
  "scope": "catalog:read agents:read"
}
 
# Step 3: Use access token
curl -X GET https://api.hyperfold.io/v1/catalog/products \
  -H "Authorization: Bearer hf_oauth_xyz..."
 
# Step 4: Refresh token when expired
curl -X POST https://auth.hyperfold.io/token \
  -d "grant_type=refresh_token" \
  -d "refresh_token=hf_refresh_abc..." \
  -d "client_id=your_client_id" \
  -d "client_secret=your_client_secret"

Supported Grant Types

Grant TypeUse Case
authorization_codeWeb apps with server-side component
refresh_tokenRenew expired access tokens
client_credentialsMachine-to-machine authentication

Service Accounts

Service accounts provide non-interactive authentication for automated systems:

python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# Service Account authentication (for server-to-server)
 
# Download service account key from console
$ hyperfold auth create-service-account \
  --name="Backend Service" \
  --scopes=full_access \
  --output=service-account.json
 
# service-account.json contents:
{
  "type": "service_account",
  "project_id": "proj_acme",
  "private_key_id": "key_123",
  "private_key": "-----BEGIN RSA PRIVATE KEY-----\n...",
  "client_email": "backend@proj_acme.hyperfold.io",
  "client_id": "sa_xyz789"
}
 
# Generate JWT and exchange for access token
import jwt
import time
import requests
 
def get_access_token(service_account_path):
    with open(service_account_path) as f:
        sa = json.load(f)
 
    now = int(time.time())
    payload = {
        "iss": sa["client_email"],
        "sub": sa["client_email"],
        "aud": "https://api.hyperfold.io",
        "iat": now,
        "exp": now + 3600
    }
 
    token = jwt.encode(payload, sa["private_key"], algorithm="RS256")
 
    response = requests.post(
        "https://auth.hyperfold.io/token",
        data={
            "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
            "assertion": token
        }
    )
 
    return response.json()["access_token"]
Service account keys should be stored securely and rotated regularly. Consider using cloud-native secret managers like Google Secret Manager or AWS Secrets Manager.

Scopes & Permissions

Scopes control what resources an authenticated request can access:

text
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Available OAuth scopes
 
SCOPE                    DESCRIPTION
─────────────────────────────────────────────────────────────
catalog:read             Read product catalog
catalog:write            Create/update products
agents:read              View agent configurations
agents:deploy            Deploy and manage agents
payments:read            View payment data
payments:write           Process payments
analytics:read           Access analytics data
integrations:read        View integration configs
integrations:write       Manage integrations
workflows:read           View workflow definitions
workflows:write          Create/modify workflows
admin                    Full administrative access
 
# Scope format for requests
scope=catalog:read%20catalog:write%20agents:read

Best Practices

Principle of Least Privilege

Request only the scopes your application needs. Avoid using admin scope unless absolutely necessary.

Rotate Credentials Regularly

Set up automatic key rotation for production environments. API keys should be rotated at least every 90 days.

Use Environment-Specific Keys

Maintain separate API keys for development, staging, and production. Never use production keys in development.

Ready to make API calls? Explore the Management API or ACP API.