HitKeybeta

English

Русский
Español
Қазақша
Тоҷикӣ

English

Русский
Español
Қазақша
Тоҷикӣ

Appearance

The API is in beta and may change without prior notice.

API Reference

Base URL

EnvironmentURL
Productionhttps://api.hitkey.io

Authentication

Most endpoints require authentication via Bearer token:

Authorization: Bearer YOUR_TOKEN

Two types of tokens are used:

  • API Bearer tokens — from POST /auth/login (for direct API access)
  • OAuth access tokens — from POST /oauth/token (for partner integrations)

See Token Types for details.

Response Format

All responses are JSON. Successful responses return the data directly:

json
{
  "id": "uuid",
  "name": "Example"
}

Error responses use this primary format:

json
{
  "error": "Human-readable message",
  "code": "ERROR_CODE"
}

AdonisJS validation errors (HTTP 422) use an array format:

json
{
  "errors": [
    {
      "message": "Validation failed",
      "rule": "required",
      "field": "email"
    }
  ]
}

Interactive Documentation

A Swagger UI is available at:

EnvironmentURL
Productionhttps://api.hitkey.io/docs

The OpenAPI spec can be fetched at /swagger.json.

Endpoints Overview

OAuth (/oauth)

MethodEndpointAuthDescription
GET/oauth/authorizeYesGet authorization code
POST/oauth/tokenNoExchange code / refresh token
GET/oauth/userinfoOAuthGet user profile (OIDC)
POST/oauth/clientsYesCreate OAuth client
GET/oauth/clientsYesList your OAuth clients

Auth (/auth)

MethodEndpointAuthDescription
POST/auth/register/startNoStart registration
POST/auth/register/verifyNoVerify email code
POST/auth/register/passwordNoSet password (auto-login)
POST/auth/register/resendNoResend verification code
POST/auth/register/with-inviteNoRegister via project invite
POST/auth/loginNoLogin
POST/auth/logoutYesLogout
GET/auth/meYesCurrent user
PATCH/auth/profileYesUpdate profile
POST/auth/token/refreshNoRefresh API token
POST/auth/password/forgotNoRequest password reset
POST/auth/password/resetNoComplete password reset

2FA (/auth/2fa)

MethodEndpointAuthDescription
GET/auth/2fa/setupYesGet TOTP setup (QR code)
POST/auth/2fa/enableYesEnable 2FA
POST/auth/2fa/disableYesDisable 2FA
POST/auth/2fa/verifyNoVerify TOTP during login

Emails (/auth/emails)

MethodEndpointAuthDescription
GET/auth/emails/YesList all emails
POST/auth/emails/YesAdd email
POST/auth/emails/verifyYesVerify added email
POST/auth/emails/resendYesResend verification
PATCH/auth/emails/:id/defaultYesSet default email
DELETE/auth/emails/:idYesDelete email

Users (/users)

MethodEndpointAuthDescription
GET/users/searchYesSearch users by email/name/username

Search parameters:

ParameterTypeRequiredDescription
qstringYesSearch term (email, name, or username)
project_slugstringNoFilter by project context

Returns a maximum of 10 matching users.

Projects (/projects)

MethodEndpointAuthDescription
POST/projects/YesCreate project
GET/projects/YesList projects
GET/projects/:slugYesGet project
PATCH/projects/:slugYesUpdate project
DELETE/projects/:slugYesDelete project
POST/projects/:slug/joinYesJoin project
DELETE/projects/:slug/leaveYesLeave project

Project Members (/projects/:slug/members)

MethodEndpointAuthDescription
GET/projects/:slug/membersYesList members
POST/projects/:slug/membersYesAdd member
PATCH/projects/:slug/members/:idYesUpdate member
DELETE/projects/:slug/members/:idYesRemove member
POST/projects/:slug/transfer-ownershipYesTransfer ownership

Invites (/invites)

MethodEndpointAuthDescription
GET/invites/:tokenNoView invite
POST/invites/:token/acceptYesAccept invite

Health

MethodEndpointAuthDescription
GET/healthNoHealth check
GET/docsNoSwagger UI
GET/swagger.jsonNoOpenAPI spec

HitKey Service License.

Copyright © 2026–present HitKey