Authentication

How to sign requests with your hw_live_ key.

Every HiWay request must carry a valid API key in the Authorization header. Keys start with hw_live_ followed by 32 hex characters, and are generated in Dashboard → Keys. Each key can be named, rotated, revoked, and scoped with its own rate limit.

Header format

http
Authorization: Bearer hw_live_YOUR_KEY

Keys are shown once

At creation time, HiWay displays the key exactly once. We only store the SHA-256 hash. Copy it into your secret manager immediately - a lost key cannot be recovered, only revoked and re-issued.

Rotating a key

Open Dashboard → Keys, click Revoke on the old key, then New key to create a replacement. Revocation is instant: the next request signed with the old key returns a 401.

Per-key rate limits

Each key can carry its own requests-per-minute limit, handy for splitting CI from production. If CI loops, its key is throttled without affecting your live app.

Key source tracking

Keys minted via the dashboard, the CLI device flow, or the API are tagged with a source field. You can see in Dashboard → Keys which channel each key came from - useful for adoption metrics and audit.

Previous

Drop-in with your existing SDK

Next

How smart routing works