Authentication

How to authenticate against the HookSentry API — JWT bearer tokens for the dashboard API and API keys for the ingest endpoint.

HookSentry uses two independent authentication schemes, depending on which endpoint you call.

SchemeUsed byHeader
JWT Bearer tokenTenants, Users, Invites, Destinations, Senders, API Keys, Events, QueuesAuthorization: Bearer <accessToken>
API keyIngest endpoint onlyX-Api-Key: <key>

JWT bearer tokens

Call POST /api/v1/auth/login with an email and password to receive an accessToken (TTL 15 minutes) and a refreshToken (TTL 7 days, stored server-side in Redis). Send the access token on every subsequent request:

var request = new HttpRequestMessage(HttpMethod.Get, "https://api.hooksentry.com/api/v1/tenants/{id}");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

using var client = new HttpClient();
var response = await client.SendAsync(request);

When the access token expires, exchange the refresh token for a new pair via POST /api/v1/auth/refresh — the refresh token you send is consumed and a new one is issued (single-use). Call POST /api/v1/auth/logout to invalidate a refresh token and immediately revoke the access token, both before their natural expiry.

Rate limiting:

Login is rate-limited: 10 failed attempts per IP or per email within a 5-minute window returns 429 Too Many Requests. The counter resets on a successful login.

API keys (ingest only)

The ingest endpoint authenticates with an API key instead of a JWT, since the caller is typically a third-party service (GitHub, Stripe, your own backend) rather than a logged in dashboard user. Create a key via POST /api/v1/apikeys (JWT-authenticated), then send it on every ingest call:

X-Api-Key: <key>

The plain text key value is only ever returned once, at creation time — HookSentry stores just a hash. If you lose it, revoke it and create a new one.

Roles

Every user has one role, carried as a role claim in the JWT. Role checks always read the claim from the token — never from the request body — so a caller cannot escalate privileges by editing a payload.

RoleValueCan do
Developer0Manage destinations, senders, API keys; view tenant events
Admin1Everything a Developer can, plus user management, invites, queue purge
Owner10Everything an Admin can, plus promoting/demoting other users to Admin or Owner
Viewer20Read-only access, typically granted via an invite

The tenant's first user (created together with the tenant) is always an Owner.