Authentication
Every request must include an API key. Two equivalent options:
Authorization: Bearer rmh_live_xxxxxxxxxxxxxxxxxxxxxxxx
X-API-Key: rmh_live_xxxxxxxxxxxxxxxxxxxxxxxx
API keys authenticate as your user account. Writes are scoped to your own account; you cannot act on behalf of others.
Key security
- Keys are random 256-bit secrets formatted
rmh_live_<base62>. - The server stores only a SHA-256 hash — the plaintext is shown once at creation and can never be retrieved again. The dashboard shows a non-secret 4-character suffix so you can tell keys apart.
- Treat a key like a password. Keep it server-side; never embed it in a public client, repo, or browser bundle you don't control.
- Scopes: each key carries granular permissions — see Scopes. Grant the least privilege a given integration needs.
- Expiry: a key may be created with an expiry date; expired keys are rejected exactly like revoked ones.
- Rotation: rotate a key from
/developerto issue a new secret while keeping the same key record — the old secret stops working immediately. - Revocation: revoke a key any time from
/developer; it takes effect at once. - If a subscription lapses or the account is suspended, all of that account's keys stop working until the subscription is restored.