Skip to content
Dashboard
Menu Account API · List & delete drops

Account API

List & delete drops

Drops deployed with an Authorization header belong to your account, and these routes manage them — plus the API keys behind them. All paths are relative to https://hurl.page and expect a Bearer credential as described in Authentication.

Drops

Two endpoints cover the lifecycle: list what you've deployed, delete what you no longer need.

GET

/drops

hp_ key or ID token

Returns the drops owned by the account, newest first. expires_at is null on subscriber drops, since those never expire.

Query parameters

limit
Drops per page — up to 500, default 100.
offset
Number of drops to skip; combine with limit to page through large accounts.
json 200 OK 
{
"total": 12,
"drops": [
{
"slug": "launch-metrics-c2dse08p",
"url": "https://launch-metrics-c2dse08p.hurled.page/",
"name": "launch-metrics",
"file_count": 3,
"redeploy_count": 7,
"created_at": "2026-06-02T09:14:00.000Z",
"updated_at": "2026-06-09T16:41:00.000Z",
"expires_at": null
}
]
}
DELETE

/drops/<slug>

hp_ key or ID token

Removes a drop. The <slug> is the subdomain part of the drop's URL — for launch-metrics-c2dse08p.hurled.page that's launch-metrics-c2dse08p.

json 200 OK 
{
"deleted": "launch-metrics-c2dse08p"
}

Deletion is permanent. Files and the drop's index entry are purged immediately and can't be restored. The edge cache may keep serving the page for up to 60 seconds after the call returns.

API keys

Keys are what curl and CI authenticate with: mint them from a dashboard session, list their metadata, revoke them when they leak or retire. Formats and scoping are covered in API keys.

POST

/keys

Firebase ID token

Mints a new API key. This is the one route that requires a Firebase ID token from your dashboard session — existing hp_ keys can't mint new keys.

json 201 Created 
{
"accountId": "9f1c2c4e-7b2a-4f5e-a1d3-2c8b51b6f0aa",
"apiKey": "hp_QffDmo0uWxx_BKbZjjtSwdgPaksp58XTGgj0tsLZfhU",
"keyId": "8c1f4b2e6a9d35c7e0b8a2f41d6c9e3b5a7d0f82c4e6b1a39d5f7c0e2b4a6d81",
"note": "Shown once — store it. Send as 'Authorization: Bearer <key>' …"
}

The key is shown once — we only store a hash. Copy it into your secret manager before closing the response; there's no way to retrieve it later.

GET

/keys

hp_ key or ID token

Lists the keys on the account. Only metadata comes back — the secret itself is never returned, just the prefix so you can tell keys apart.

json 200 OK 
{
"keys": [
{
"id": "8c1f4b2e6a9d35c7e0b8a2f41d6c9e3b5a7d0f82c4e6b1a39d5f7c0e2b4a6d81",
"prefix": "hp_QffDmo0",
"created_at": "2026-05-28T11:02:00.000Z",
"last_used_at": "2026-06-10T07:55:00.000Z"
},
{
"id": "2f9e7c4b1a6d8e3c5b0a9f7d4e2c6b8a1d3f5e7c9b0a2d4f6e8c1b3a5d7f9e0c",
"prefix": "hp_b7Rt2wX",
"created_at": "2026-04-12T15:30:00.000Z",
"last_used_at": null
}
]
}
DELETE

/keys/<id>

hp_ key or ID token

Revokes a key by its id (from GET /keys) — the id is the key’s SHA-256, 64 hex chars. Takes effect on the very next request.

json 200 OK 
{
"revoked": "2f9e7c4b1a6d8e3c5b0a9f7d4e2c6b8a1d3f5e7c9b0a2d4f6e8c1b3a5d7f9e0c"
}

Any CI still using this key fails immediately. Revocation is instant — rotate the secret in your pipelines before you delete the key here.

Edit this page on GitHub (opens in a new tab)

Last updated Jun 12, 2026