API keys
All requests to the Hostreach public API must include an API key. Keys are scoped, revocable, and prefixed to indicate the environment.Generate a key
- Log in at app.hostreach.io.
- Go to Settings › Workspace › Acceso API.
- Click New API key, choose a name, environment, and scopes.
- Copy the key — it is only shown once.
Key format
Use
hr_live_ keys for production integrations and hr_test_ keys for development and testing.
Sending the key
You can pass the key in either of two ways:Option 1 — X-Api-Key header (recommended)
Option 2 — Bearer token
Scopes
API keys can be restricted to specific scopes. An emptyscopes array means full access (wildcard).
A
403 Forbidden response means the key is valid but lacks the required scope for that endpoint. Create a new key with the necessary scope.
Error responses
All errors return a JSON body:Key rotation and revocation
- To rotate a key: create a new key, update your integration, then revoke the old one.
- To revoke: go to Settings › Workspace › Acceso API and click Revoke next to the key.
- Revoked keys return
401immediately.