API Keys
API keys provide programmatic access to the HiveForge API. They are scoped to an organization and support granular permissions.
Key format
HiveForge API keys use a prefixed format that indicates the environment:
| Prefix | Environment | Example |
|---|---|---|
hf_live_ | Production | hf_live_a1b2c3d4e5f6... |
hf_test_ | Sandbox | hf_test_x9y8z7w6v5u4... |
⚠️
The full API key is only shown once at creation time. Store it securely -- you cannot retrieve it later.
Creating API keys
Via the API
Requires owner or admin role in the organization.
const response = await fetch('https://api.hiveforge.dev/api/v1/api-keys', {
method: 'POST',
headers: {
'Authorization': `Bearer ${jwtToken}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
name: 'CI/CD Pipeline Key',
scopes: ['read', 'write', 'deployments'],
expires_at: '2027-01-01T00:00:00Z', // optional
metadata: { environment: 'production' }, // optional
}),
})
const { key, id, name, key_prefix, scopes } = await response.json()
// key = "hf_live_a1b2c3d4..." -- save this now!Using API keys
Send the key as a Bearer token in the Authorization header:
const response = await fetch('https://api.hiveforge.dev/api/v1/organizations', {
headers: {
'Authorization': 'Bearer hf_live_a1b2c3d4e5f6...',
'Content-Type': 'application/json',
},
})The API key middleware intercepts the request, validates the key, and attaches the organization context and scopes to the request. Downstream route handlers enforce scope requirements.
Available scopes
Basic scopes
| Scope | Description |
|---|---|
read | Read access to resources |
write | Create and update resources (includes read) |
delete | Delete resources (includes read) |
admin | Full administrative access (includes all scopes) |
Feature-specific scopes
| Scope | Description |
|---|---|
chat | AI chat access (includes chat:read, chat:write) |
chat:read | Read chat conversations |
chat:write | Create chat messages |
webhooks | Webhook management (includes webhooks:read, webhooks:write, webhooks:delete) |
webhooks:read | View webhooks |
webhooks:write | Create and update webhooks |
webhooks:delete | Delete webhooks |
api_keys | API key management (includes api_keys:read, api_keys:write, api_keys:delete) |
api_keys:read | View API keys |
api_keys:write | Create and update API keys |
api_keys:delete | Delete API keys |
members | Organization member management (includes members:read, members:write, members:delete) |
members:read | View organization members |
members:write | Invite and update members |
members:delete | Remove members |
billing | Billing and subscription access (includes billing:read, billing:write) |
billing:read | View billing information |
billing:write | Update billing settings |
audit | Audit log access (includes audit:read) |
audit:read | View audit logs |
deployments | Deployment management (includes deployments:read, deployments:write, deployments:delete) |
deployments:read | View deployments |
deployments:write | Create and manage deployments |
deployments:delete | Delete deployments |
Scope hierarchy
Parent scopes automatically include their child scopes. For example, granting webhooks also grants webhooks:read, webhooks:write, and webhooks:delete. The admin scope includes everything.
admin
+-- read, write, delete
+-- chat (chat:read, chat:write)
+-- webhooks (webhooks:read, webhooks:write, webhooks:delete)
+-- api_keys (api_keys:read, api_keys:write, api_keys:delete)
+-- members (members:read, members:write, members:delete)
+-- billing (billing:read, billing:write)
+-- audit (audit:read)
+-- deployments (deployments:read, deployments:write, deployments:delete)Managing keys
List keys
curl https://api.hiveforge.dev/api/v1/api-keys \
-H "Authorization: Bearer $JWT_TOKEN"Update a key
curl -X PATCH https://api.hiveforge.dev/api/v1/api-keys/{key_id} \
-H "Authorization: Bearer $JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Updated Key Name",
"scopes": ["read", "chat"]
}'Revoke a key
curl -X DELETE https://api.hiveforge.dev/api/v1/api-keys/{key_id} \
-H "Authorization: Bearer $JWT_TOKEN"Key rotation best practices
- Set expiration dates. Always create keys with an
expires_atvalue. Avoid permanent keys. - Use minimal scopes. Grant only the scopes each integration actually needs.
- Rotate regularly. Create a new key, update your integration, then revoke the old key.
- Monitor usage. Check audit logs for unexpected API key activity.
- Use separate keys per integration. Do not share a single key across multiple services.
- Store securely. Use environment variables or a secrets manager. Never commit keys to version control.
Error responses
| Status | Detail | Cause |
|---|---|---|
| 400 | Invalid scopes: ... | One or more requested scopes are not recognized |
| 400 | User must belong to an organization | The authenticated user has no organization membership |
| 401 | Authentication required (JWT or API key) | No valid credential provided |
| 403 | Admin or owner access required to create API keys | User does not have the required role |
| 403 | API key missing required scope: ... | The key does not have the scope needed for this endpoint |