Authentication

How to sign requests with your hwy_ key.

Every HiWay request must carry a valid API key in the Authorization header. Keys start with hwy_ and are generated in Settings → API Keys. Each key can be named, rotated, revoked, and scoped with a per-key spend limit.

Header format

http
Authorization: Bearer hwy_YOUR_KEY

Keys are shown once

At creation time, HiWay displays the key exactly once. We only store the SHA-256 hash. Copy it into your secret manager immediately — a lost key cannot be recovered, only revoked and re-issued.

Rotating a key

Open Settings → API Keys, click Revoke on the old key, then New key to create a replacement. Revocation is instant: the next request signed with the old key returns a 401.

Per-key spend limits

You can cap the daily and monthly spend of each key independently. Useful for giving one key to a CI job and another to a preview environment — if CI loops, the daily cap kicks in and the key is frozen until the next calendar day, without affecting your other keys.

Revoke ≠ delete

Revoked keys stay in the dashboard for audit (usage history remains visible) but cannot sign any new request. To completely remove them, use the trash icon after revocation.

Previous

SDKs and integrations

Next

Your first request