API Keys

API keys authenticate consumers and control who can submit help requests to your HeySummon instance.

Creating API Keys

Go to Settings in the dashboard
Click Create API Key
Give it a descriptive name (e.g., “Production Agent”, “Dev Testing”)
Copy the generated key — it starts with hs_

⚠️

The full API key is only shown once. Store it securely — you won’t be able to see it again.

Managing Keys

In Settings, you can:

View all created keys (showing name, prefix, and creation date)
Revoke keys that are no longer needed
Create new keys at any time

Security

Keys use timing-safe comparison during validation (resistant to timing attacks)
Keys are hashed before storage — the raw key exists only in the consumer’s config
Rate limiting applies per IP regardless of key: 30 req/min for API v1 endpoints

Best Practices

Create separate keys for each consumer/environment
Revoke keys that are no longer in use
Rotate keys periodically
Never share keys in public repositories or logs

Dashboard OpenClaw Skill