Hep.gg

Management API

List, create, reveal, and rotate the passwords of databases programmatically over a bearer-key HTTP API at hep.gg/api/v1/db, with the full request and response shapes, status codes, and error catalog.

Management API

The management API lets you list and create databases, and reveal or rotate their passwords, from a script or CI, without the dashboard. It is separate from the database connection itself: it speaks HTTP/JSON over https://hep.gg/api/v1/db and is authenticated with a bearer key, while your actual queries run against your databases at db.teamhydra.dev (see Connecting).

Authentication

Every request needs an Authorization header carrying a bearer key from the dashboard.

Authorization header
Authorization: Bearer hepgg_db_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The header also accepts a Token prefix, or the raw key with no prefix; Bearer is the conventional form. Keys are minted in the dashboard under Database, API Keys; there is no public endpoint to create one. A key can list and create databases, reveal a database's current password, and rotate it. It cannot delete a database; that stays dashboard-only.

Keys carry your account entitlements and are revoked instantly on suspension. Disabling a key (yourself, or via the suspension cascade) makes it stop authenticating immediately, no per-request lookup of your account state is needed.

Response envelope

All responses use a JSON envelope. Success:

success
{ "ok": true, "data": { } }

Errors carry a human message and, where applicable, a machine code:

error
{ "ok": false, "error": "human-readable message", "code": "MACHINE_CODE" }

Endpoints at a glance

MethodPathAuthPurpose
GET/api/v1/db/databasesBearer keyList databases
POST/api/v1/db/databasesBearer keyCreate a database
GET/api/v1/db/databases/:idBearer keyReveal a database
POST/api/v1/db/databases/:id/rotateBearer keyRotate a password

Deleting a database is deliberately not exposed over the bearer API; do that from the dashboard.

List databases

GEThttps://hep.gg/api/v1/db/databasesAuth required
List the caller's databases. No secrets are returned.

Returns every database owned by the key's account, ordered by creation time. Passwords are never returned here; use Reveal a database to fetch one.

curl
curl https://hep.gg/api/v1/db/databases \
  -H "Authorization: Bearer $DB_KEY"
200 response
{
  "ok": true,
  "data": {
    "databases": [
      {
        "id": "01HV...",
        "name": "my-app",
        "engine": "mariadb",
        "dbName": "um_0a1b2c3d4e_1",
        "dbUser": "dum_0a1b2c3d4e_1",
        "sizeBytes": 1048576,
        "sizeRefreshedAt": "2026-05-28T12:00:00.000Z",
        "status": "active",
        "createdAt": "2026-05-20T09:30:00.000Z"
      }
    ]
  }
}

Each entry's fields:

Database summary
id
stringoptional
Stable identifier for the database.
name
stringoptional
The friendly label you chose at creation.
engine
stringoptional
One of mariadb, postgres, mongo.
dbName
stringoptional
The connection-level database name (auto-generated, see the naming scheme).
dbUser
stringoptional
The connection-level database user.
sizeBytes
numberoptional
Last measured on-disk size, refreshed by the quota watcher.
sizeRefreshedAt
stringoptional
ISO 8601 timestamp of the last size measurement, or null if never measured.
status
stringoptional
One of active, over_quota, disabled. See status values.
createdAt
stringoptional
ISO 8601 creation timestamp.

Create a database

POSThttps://hep.gg/api/v1/db/databasesAuth required
Provision a new database. Returns the password and connection string once.

Provisions a new database and its dedicated user. The password and connection string are returned in this response. Store them immediately; if you lose the password you can fetch it again with Reveal a database or replace it with Rotate a password (and the dashboard can do both too).

Body fields
name
stringrequired
Friendly label, 1 to 63 characters: letters, digits, underscore, or dash, and it must start with a letter or digit. Must be unique within your account.
engine
stringoptionaldefault: mariadb
One of mariadb, postgres, mongo. Defaults to mariadb.
curl
curl -X POST https://hep.gg/api/v1/db/databases \
  -H "Authorization: Bearer $DB_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name":"my-app","engine":"mariadb"}'

A successful create returns HTTP 201:

201 response
{
  "ok": true,
  "data": {
    "id": "01HV...",
    "name": "my-app",
    "engine": "mariadb",
    "dbName": "um_0a1b2c3d4e_1",
    "dbUser": "dum_0a1b2c3d4e_1",
    "password": "shown once - store it now",
    "connectionString": "mysql://dum_0a1b2c3d4e_1:...@db.teamhydra.dev:3306/um_0a1b2c3d4e_1"
  }
}

The connectionString scheme matches the engine: mysql:// for MariaDB, postgresql:// for Postgres, and mongodb://...?authSource=admin for MongoDB. The new database counts against your account-wide slot and storage quota, the same quota the dashboard uses.

Reveal a database

GEThttps://hep.gg/api/v1/db/databases/:idAuth required
Return one database with its current password and connection string.

Returns a single database you own, including its current password and a ready-to-use connection string. Passwords are stored encrypted, so this decrypts the stored value; it does not reset it. A database id that is not yours returns 404.

curl
curl https://hep.gg/api/v1/db/databases/$DB_ID \
  -H "Authorization: Bearer $DB_KEY"

The 200 body is the create-response shape plus the size and status fields from the list:

200 response
{
  "ok": true,
  "data": {
    "id": "01HV...",
    "name": "my-app",
    "engine": "mariadb",
    "dbName": "um_0a1b2c3d4e_1",
    "dbUser": "dum_0a1b2c3d4e_1",
    "password": "current password",
    "connectionString": "mysql://dum_0a1b2c3d4e_1:...@db.teamhydra.dev:3306/um_0a1b2c3d4e_1",
    "sizeBytes": 1048576,
    "sizeRefreshedAt": "2026-05-28T12:00:00.000Z",
    "status": "active",
    "createdAt": "2026-05-20T09:30:00.000Z"
  }
}

Rotate a password

POSThttps://hep.gg/api/v1/db/databases/:id/rotateAuth required
Set a new password on the database user and return it.

Generates a new password, applies it to the database user on the engine, and returns it. The old password stops working immediately, so update anything that connects. A database id that is not yours returns 404. No request body.

curl
curl -X POST https://hep.gg/api/v1/db/databases/$DB_ID/rotate \
  -H "Authorization: Bearer $DB_KEY"
200 response
{
  "ok": true,
  "data": {
    "id": "01HV...",
    "name": "my-app",
    "engine": "mariadb",
    "dbName": "um_0a1b2c3d4e_1",
    "dbUser": "dum_0a1b2c3d4e_1",
    "password": "the new password",
    "connectionString": "mysql://dum_0a1b2c3d4e_1:...@db.teamhydra.dev:3306/um_0a1b2c3d4e_1"
  }
}

Errors and status codes

Errors use the standard envelope { "ok": false, "error": "...", "code": "..." }. The code is present on the machine-readable cases below; the duplicate-name and name-validation cases return a message without a code.

StatusCodeWhen
400(none)The name failed validation (length, allowed characters, or first character).
400ENGINE_DISABLEDThe requested engine is not available on this deployment.
401NO_KEYNo Authorization header, or an empty token.
401BAD_KEYThe token does not match any key.
401KEY_DISABLEDThe key exists but is disabled (by you, or by a suspension cascade).
402OUT_OF_SLOTSNo free database slots. Buy a pack or upgrade to Premium.
403(none)The owning account is suspended or not allowed to use the app.
404NOT_FOUNDReveal or rotate against a database id that is not one you own.
409(none)You already have a database with that name.

Slot and storage limits are account-wide and shared with the dashboard. To add slots or storage, see the dashboard Top Up tab.