Authentication and keys

How the uploader bearer token is issued, where it comes from, the accepted header formats, and how to rotate it.

Authentication and keys#

The uploader uses a single per-account bearer token. The same token authenticates every upload and shorten request.

Where the token comes from#

There is no public endpoint that creates a token. The token is minted in the dashboard:

1. Sign in to hep.gg and open the Uploader app.
2. Go to the Setup / API Keys subpage.
3. Copy the displayed token. It looks like hyd-up-<random>.

The token is static per account, it does not expire on a timer. It stays valid until you rotate it or your uploader access is revoked.

Sending the token#

Put the token in the Authorization header on every request. There is no query-string or cookie option for API callers.

Authorization: hyd-up-xxxxxxxxxxxx

A Bearer or Token prefix is accepted but optional. All three forms resolve to the same token:

# Raw token (what the dashboard shows)
curl -H "Authorization: hyd-up-xxxxxxxxxxxx" ...
 
# Bearer prefix also works
curl -H "Authorization: Bearer hyd-up-xxxxxxxxxxxx" ...
 
# Token prefix also works
curl -H "Authorization: Token hyd-up-xxxxxxxxxxxx" ...

// Raw token (recommended, matches the dashboard)
const headers = { Authorization: "hyd-up-xxxxxxxxxxxx" };
 
// These are equivalent:
// { Authorization: "Bearer hyd-up-xxxxxxxxxxxx" }
// { Authorization: "Token hyd-up-xxxxxxxxxxxx" }

Rotating the token#

Rotate from the same Setup / API Keys subpage in the dashboard. Rotation issues a new hyd-up-<random> token and revokes the previous one, so any script still using the old value starts receiving 401 Token revoked. Update your stored credential before or immediately after rotating.

Authentication errors#

Error bodies use the standard error envelope. See Uploading files for the full per-request error table.