Authentication
Every endpoint under /v1 is authenticated with an API key passed as a Bearer token:
curl https://api.myhamlet.com/v1/locations \
-H "Authorization: Bearer hmlt_your_api_key"
API keys are prefixed with hmlt_ and are tied to your organization’s
entitlements — the set of locations your key may read. Endpoints only ever return
data within those entitlements; anything outside them responds as if it does not exist
(a 404), so resource existence is never leaked across organizations.
A missing, malformed, revoked, or unentitled key returns 401 with the standard error
envelope:
{
"error": {
"code": "unauthorized",
"message": "Missing or invalid API key."
}
}
/health, /openapi.json, and the docs are the only public, unauthenticated routes.
Everything under /v1 requires a key.
Requests are also rate-limited per key — see Rate limits.