Skip to main content

Authentication

Every endpoint under /v1 is authenticated with an API key passed as a Bearer token:
curl https://api.myhamlet.com/v1/locations \
  -H "Authorization: Bearer hmlt_your_api_key"
API keys are prefixed with hmlt_ and are tied to your organization’s entitlements — the set of locations your key may read. Endpoints only ever return data within those entitlements; anything outside them responds as if it does not exist (a 404), so resource existence is never leaked across organizations. A missing, malformed, revoked, or unentitled key returns 401 with the standard error envelope:
{
  "error": {
    "code": "unauthorized",
    "message": "Missing or invalid API key."
  }
}
/health, /openapi.json, and the docs are the only public, unauthenticated routes. Everything under /v1 requires a key.
Requests are also rate-limited per key — see Rate limits.