X-API-Key header on every request to /openapi/v1/*. There is no HMAC
signing, no timestamp, and no nonce.
| Header | When | Value |
|---|---|---|
X-API-Key | Always | Your API key (prefixed apk_) |
The API key is only accepted on the
/openapi/v1/* surface. The dashboard
surface (/api/v1/*) uses a separate session-based login, so an API key can
never be used to manage itself.Managing keys
Create, rotate and revoke keys from the HayInsights dashboard under Account → API keys.Create
Generate a key — the full secret (
apk_…) is shown once. Copy it into a
secret store or environment variable immediately.Rotate
Rotating issues a new key and revokes the old one in a single step. Update
your environment with the new secret.
Access & quota
Your key inherits the subscription plan on your account. The plan determines both which data domains you can access and your request quota:- A request for a domain your plan doesn’t include returns 403
FEATURE_NOT_IN_PLAN— see Plans & features. - Exceeding your per-minute weight budget returns 429
RATE_LIMIT_EXCEEDED— see Rate limits.
Authentication errors
| Code | Meaning |
|---|---|
API_KEY_REQUIRED | No X-API-Key header was sent. |
API_KEY_INVALID | The key is unknown or malformed. |
API_KEY_DISABLED | The key has been revoked. |
API_KEY_EXPIRED | The key has expired. |
401. See Error codes for the full reference.