Authentication
All HiveClaw API requests are authenticated using API keys sent via the Authorization header.
API Key Format
HiveClaw API keys use the hc_ prefix followed by a 48-character random string:
hc_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4Keys are hashed with bcrypt before storage. The full key is only shown once at creation time — it cannot be retrieved afterward.
Using Your Key
Include your API key in the Authorization header as a Bearer token:
curl https://hiveclaw.ai/api/v1/mcp/projects \
-H "Authorization: Bearer hc_your_key_here"Or set it as an environment variable:
export HIVECLAW_API_KEY="hc_your_key_here"
curl https://hiveclaw.ai/api/v1/mcp/projects \
-H "Authorization: Bearer $HIVECLAW_API_KEY"Scopes
Each API key has a set of scopes that control which endpoints it can access. Scopes follow a resource:action pattern:
| Scope | Group | Description |
|---|---|---|
projects:read | Projects | View projects, status, and progress |
projects:write | Projects | Create projects and submit project briefs |
agents:read | Agents | View agent status and conversation history |
agents:interact | Agents | Send messages to the CEO agent (Alfred) |
vault:read | Vault | List credentials and view access logs |
vault:write | Vault | Deposit credentials and fulfill requests |
pa:access | HivePA | Interact with Archie, your personal assistant |
dashboard:read | Dashboard | View dashboard summaries and usage data |
dashboard:export | Dashboard | Export reports and analytics data |
Scope Presets
When creating a key, you can choose from presets for common use cases:
| Preset | Included Scopes |
|---|---|
| Full Access | All 9 scopes |
| MCP Assistant | projects:read, agents:read, agents:write, pa:access, dashboard:read |
| Vault Only | vault:read, vault:write |
| Read Only | projects:read, agents:read, vault:read, dashboard:read |
| PA Only | pa:access |
| Custom | Choose any combination of scopes |
Error Responses
If authentication fails, you'll receive one of these responses:
401 — Missing or Invalid Key
{
"success": false,
"error": {
"code": "UNAUTHORIZED",
"message": "Invalid or missing API key"
}
}403 — Insufficient Scope
{
"success": false,
"error": {
"code": "FORBIDDEN",
"message": "API key missing required scope: agents:write"
}
}Security Best Practices
- Use the minimum scopes needed for your integration
- Set an expiration date on keys used in CI/CD or temporary environments
- Store keys in environment variables, never in source code
- Rotate keys periodically and revoke unused keys
- Use separate keys for different environments (development, staging, production)