Skip to content
Dashboard
Menu Account API · API keys

Account API

API keys

Keys are the credential you put in CI: 256 bits of CSPRNG behind an hp_ prefix, shown once at mint time, stored only as a hash. The endpoint cards live in List & delete drops; this page covers what a key is.

Anatomy of a key

Secret
hp_ + 43 base64url characters — e.g. hp_QffDmo0uWxx… — 32 random bytes underneath.
Id
The SHA-256 of the full secret, 64 hex chars. It’s how you reference the key in DELETE /keys/<id>, and safe to log.
Prefix
The first 10 characters (like hp_QffDmo0), kept as metadata so you can tell keys apart in listings.

Only the hash is stored server-side. A leaked database doesn’t leak keys — but it also means a lost key is gone for good. Mint a new one.

Minting

Minting requires a Firebase ID token — an existing key can’t breed new keys, so a leaked CI credential can’t quietly multiply. Sign in at hurl.page and use the dashboard, or:

bash
curl -X POST https://hurl.page/keys \
  -H "Authorization: Bearer <firebase-id-token>"

The 201 response carries apiKey exactly once — copy it into your secret manager before closing the terminal.

Scope

Every key is account-wide: deploys, appends, drop management, billing and vanity all accept it. There are no per-key permissions — if you need a credential you can hand to a semi-trusted pipeline, that’s a reason to keep separate keys per pipeline and revoke aggressively.

Rotation

Mint the replacement first, swap the secret in your pipelines, then DELETE /keys/<id> the old one. Revocation is instant — any job still holding the old key fails on its very next request.

Edit this page on GitHub (opens in a new tab)

Last updated Jun 12, 2026