Skip to content
Hoody Documentation
Download Page (.md)

The API Tokens endpoints let you create and manage long-lived authentication tokens for programmatic access to the Hoody platform. Use these endpoints to issue scoped tokens with IP restrictions, expiration, and fine-grained permissions, and to manage their lifecycle (update, copy, add/remove realm bindings, delete).

List auth tokens

Section titled “List auth tokens”

Returns all auth tokens for the authenticated user. Token values are not included in the response.

Terminal window
curl -X GET https://api.hoody.icu/api/v1/auth/tokens \
  -H "Authorization: Bearer <token>"

Response

Section titled “Response”
{
  "statusCode": 200,
  "message": "Auth tokens retrieved successfully",
  "data": [
    {
      "id": "507f1f77bcf86cd799439011",
      "alias": "Production API Key",
      "prefix": "hdy_",
      "ip_whitelist": ["192.168.1.0/24", "10.0.0.1"],
      "realm_ids": [],
      "allow_no_realm": true,
      "expires_at": "2025-12-31T23:59:59.000Z",
      "is_enabled": true,
      "vault_access": true,
      "event_access": true,
      "last_used_at": "2025-10-28T12:00:00.000Z",
      "last_used_ip": "198.51.100.1",
      "created_at": "2025-01-15T10:30:00.000Z",
      "updated_at": "2025-01-15T14:45:00.000Z"
    },
    {
      "id": "507f1f77bcf86cd799439022",
      "alias": "Development Token",
      "prefix": "hdy_",
      "ip_whitelist": ["*"],
      "realm_ids": ["507f1f77bcf86cd799439011"],
      "allow_no_realm": false,
      "expires_at": null,
      "is_enabled": true,
      "vault_access": false,
      "event_access": true,
      "last_used_at": null,
      "last_used_ip": null,
      "created_at": "2025-01-10T08:00:00.000Z",
      "updated_at": "2025-01-10T08:00:00.000Z"
    }
  ]
}

Get auth token by ID

Section titled “Get auth token by ID”

Returns details of a specific auth token. The token value is not included in the response.

Terminal window
curl -X GET https://api.hoody.icu/api/v1/auth/tokens/507f1f77bcf86cd799439011 \
  -H "Authorization: Bearer <token>"

Parameters

Section titled “Parameters”
NameInTypeRequiredDescription
idpathstringYesUnique identifier of the token

Response

Section titled “Response”
{
  "statusCode": 200,
  "message": "Auth token retrieved successfully",
  "data": {
    "id": "507f1f77bcf86cd799439011",
    "alias": "Production API Key",
    "prefix": "hdy_",
    "ip_whitelist": ["192.168.1.0/24", "10.0.0.1"],
    "realm_ids": [],
    "allow_no_realm": true,
    "expires_at": "2025-12-31T23:59:59.000Z",
    "is_enabled": true,
    "vault_access": true,
    "event_access": true,
    "last_used_at": "2025-10-28T12:00:00.000Z",
    "last_used_ip": "198.51.100.1",
    "created_at": "2025-01-15T10:30:00.000Z",
    "updated_at": "2025-01-15T14:45:00.000Z"
  }
}

Get current auth token details

Section titled “Get current auth token details”

Returns metadata, permissions, and realm restrictions for the currently authenticated auth token. This endpoint is allowed on the base api.hoody.icu domain for realm-scoped tokens to bootstrap realm discovery.

Terminal window
curl -X GET https://api.hoody.icu/api/v1/auth/tokens/me \
  -H "Authorization: Bearer <token>"

Response

Section titled “Response”
{
  "statusCode": 200,
  "message": "Current auth token retrieved successfully",
  "data": {
    "token": {
      "id": "507f1f77bcf86cd799439011",
      "alias": "External Customer Token",
      "prefix": "hdy_",
      "ip_whitelist": ["*"],
      "realm_ids": ["507f1f77bcf86cd799439012"],
      "allow_no_realm": false,
      "permissions": {
        "containers": {
          "read": true,
          "create": true
        },
        "resources": {
          "realms": true
        }
      },
      "expires_at": null,
      "is_enabled": true,
      "vault_access": false,
      "event_access": true,
      "created_at": "2025-01-15T10:30:00.000Z",
      "updated_at": "2025-01-15T10:30:00.000Z"
    },
    "restrictions": {
      "has_realm_restrictions": true,
      "requires_realm_scope": true,
      "allowed_realm_ids": ["507f1f77bcf86cd799439012"],
      "allow_no_realm": false,
      "active_realm_id": "507f1f77bcf86cd799439012"
    }
  }
}

Get auth token public profile by public key

Section titled “Get auth token public profile by public key”

Resolves and retrieves an auth token’s public profile storage by ED25519 public key.

Terminal window
curl -X GET https://api.hoody.icu/api/v1/auth/tokens/public-profiles/a1b2c3d4e5f6789012345678901234567890abcdefabcdefabcdefabcdef1234 \
  -H "Authorization: Bearer <token>"

Parameters

Section titled “Parameters”
NameInTypeRequiredDescription
public_keypathstringYesED25519 public key to resolve

Response

Section titled “Response”
{
  "statusCode": 200,
  "message": "Public profile retrieved successfully",
  "data": {
    "public_key": "a1b2c3d4e5f6789012345678901234567890abcdefabcdefabcdefabcdef1234",
    "public_storage": {
      "display_name": "Acme Integrations",
      "website": "https://example.com"
    }
  }
}

Create a new auth token

Section titled “Create a new auth token”

Creates a new long-term authentication token with optional IP restrictions, expiration, and fine-grained permissions.

Terminal window
curl -X POST https://api.hoody.icu/api/v1/auth/tokens \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "alias": "Production API Key",
    "public_key": "a1b2c3d4e5f6789012345678901234567890abcdefabcdefabcdefabcdef1234",
    "public_storage": {
      "display_name": "Production Integrations",
      "tier": "gold"
    },
    "ip_whitelist": ["192.168.1.0/24", "10.0.0.1"],
    "vault_access": true,
    "expires_at": 1767225599000
  }'

Request Body

Section titled “Request Body”
FieldTypeRequiredDescription
aliasstringNoUser-friendly alias. Allowed characters: letters, numbers, spaces, underscores, hyphens. If omitted, a random animal name is generated.
public_keystring | nullNoED25519 public key (64 hex chars) or null to clear.
public_storageobject | nullNoPublic JSON profile storage (max 64KB) or null to clear.
ip_whitelistarray | stringNoArray of IPv4 addresses/CIDR ranges, comma-separated string, or * wildcard. Defaults to *.
permission_templatestringNoPermission template to apply (full_access, external_customer, dev_team, finance_team, read_only). Takes precedence over permissions.
permissionsobjectNoFine-grained permission map. Missing paths default to false.
realm_idsarrayNoRealm IDs to restrict this token to.
allow_no_realmbooleanNoWhether the token can be used without a realm scope. Default: true.
vault_accessbooleanNoWhether the token can access user vault endpoints. Default: false.
event_accessbooleanNoWhether the token can access event streams. Default: true.
expires_atstring | numberNoISO 8601 date, Unix timestamp, today, or tomorrow.
otp_codestringNoTOTP code (6 digits) or backup code (10 alphanumeric). Required if 2FA is enabled and authenticating via JWT.

Response

Section titled “Response”
{
  "statusCode": 201,
  "message": "Auth token created successfully",
  "data": {
    "token": "hdy_a1b2c3d4e5f67890abcdef1234567890",
    "id": "507f1f77bcf86cd799439011",
    "alias": "Production API Key",
    "prefix": "hdy_",
    "public_key": "a1b2c3d4e5f6789012345678901234567890abcdefabcdefabcdefabcdef1234",
    "public_storage": {
      "display_name": "Production Integrations",
      "tier": "gold"
    },
    "ip_whitelist": ["192.168.1.0/24", "10.0.0.1"],
    "realm_ids": [],
    "allow_no_realm": true,
    "permissions": {
      "containers": {
        "read": true
      }
    },
    "expires_at": "2025-12-31T23:59:59.000Z",
    "is_enabled": true,
    "vault_access": true,
    "event_access": true,
    "last_used_at": null,
    "last_used_ip": null,
    "created_at": "2025-01-15T10:30:00.000Z",
    "updated_at": "2025-01-15T10:30:00.000Z"
  }
}

Add realm to auth token

Section titled “Add realm to auth token”

Atomically adds a realm ID to an auth token. Idempotent — if the realm is already present, returns success without modification.

Terminal window
curl -X POST https://api.hoody.icu/api/v1/auth/tokens/507f1f77bcf86cd799439011/add-realm \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "realm_id": "507f1f77bcf86cd799439012"
  }'

Parameters

Section titled “Parameters”
NameInTypeRequiredDescription
idpathstringYesAuth token ID

Request Body

Section titled “Request Body”
FieldTypeRequiredDescription
realm_idstringYesRealm ID to add to the token
otp_codestringNoTOTP code (6 digits) or backup code (10 alphanumeric). Required if 2FA is enabled and authenticating via JWT.

Response

Section titled “Response”
{
  "statusCode": 200,
  "message": "Realm added to auth token successfully",
  "data": {
    "id": "507f1f77bcf86cd799439011",
    "alias": "External Customer Token",
    "prefix": "hdy_",
    "ip_whitelist": ["*"],
    "realm_ids": ["507f1f77bcf86cd799439012", "507f1f77bcf86cd799439013"],
    "allow_no_realm": false,
    "permissions": {
      "containers": { "read": true }
    },
    "expires_at": null,
    "is_enabled": true,
    "vault_access": false,
    "event_access": true,
    "last_used_at": null,
    "last_used_ip": null,
    "created_at": "2025-01-15T10:30:00.000Z",
    "updated_at": "2025-01-15T15:00:00.000Z"
  }
}

Copy auth token

Section titled “Copy auth token”

Copies an existing auth token’s configuration (permissions, realm restrictions, IP whitelist) into a new token with a new secret value.

Terminal window
curl -X POST https://api.hoody.icu/api/v1/auth/tokens/507f1f77bcf86cd799439011/copy \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "alias": "Production API Key Copy"
  }'

Parameters

Section titled “Parameters”
NameInTypeRequiredDescription
idpathstringYesUnique identifier of the token

Request Body

Section titled “Request Body”
FieldTypeRequiredDescription
aliasstringNoOptional alias for the copied token. If omitted, a deterministic alias like "&lt;source&gt; copy" is generated.
expires_atstring | number | nullNoISO 8601 date, Unix timestamp, today, tomorrow, or null for non-expiring. Defaults to source expiration.
otp_codestringNoTOTP code (6 digits) or backup code (10 alphanumeric). Required if 2FA is enabled and authenticating via JWT.

Response

Section titled “Response”
{
  "statusCode": 201,
  "message": "Auth token copied successfully",
  "data": {
    "token": "hdy_f0e1d2c3b4a5968778695a4b3c2d1e0f1234567890abcdef",
    "id": "507f1f77bcf86cd799439099",
    "alias": "Production API Key Copy",
    "prefix": "hdy_",
    "ip_whitelist": ["192.168.1.0/24", "10.0.0.1"],
    "realm_ids": ["507f1f77bcf86cd799439011"],
    "allow_no_realm": false,
    "permissions": {
      "containers": { "read": true }
    },
    "expires_at": "2025-12-31T23:59:59.000Z",
    "is_enabled": true,
    "vault_access": true,
    "event_access": true,
    "last_used_at": null,
    "last_used_ip": null,
    "created_at": "2025-01-20T08:30:00.000Z",
    "updated_at": "2025-01-20T08:30:00.000Z"
  }
}

Remove realm from auth token

Section titled “Remove realm from auth token”

Atomically removes a realm ID from an auth token. Idempotent — if the realm is not present, returns success without modification.

Terminal window
curl -X POST https://api.hoody.icu/api/v1/auth/tokens/507f1f77bcf86cd799439011/remove-realm \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "realm_id": "507f1f77bcf86cd799439012"
  }'

Parameters

Section titled “Parameters”
NameInTypeRequiredDescription
idpathstringYesAuth token ID

Request Body

Section titled “Request Body”
FieldTypeRequiredDescription
realm_idstringYesRealm ID to remove from the token
otp_codestringNoTOTP code (6 digits) or backup code (10 alphanumeric). Required if 2FA is enabled and authenticating via JWT.

Response

Section titled “Response”
{
  "statusCode": 200,
  "message": "Realm removed from auth token successfully",
  "data": {
    "id": "507f1f77bcf86cd799439011",
    "alias": "External Customer Token",
    "prefix": "hdy_",
    "ip_whitelist": ["*"],
    "realm_ids": [],
    "allow_no_realm": false,
    "permissions": {
      "containers": { "read": true }
    },
    "expires_at": null,
    "is_enabled": true,
    "vault_access": false,
    "event_access": true,
    "last_used_at": null,
    "last_used_ip": null,
    "created_at": "2025-01-15T10:30:00.000Z",
    "updated_at": "2025-01-15T15:10:00.000Z"
  }
}

Update auth token

Section titled “Update auth token”

Updates an existing auth token’s alias, public key/profile storage, IP restrictions, expiration, enabled status, permissions, or realm bindings.

Terminal window
curl -X PATCH https://api.hoody.icu/api/v1/auth/tokens/507f1f77bcf86cd799439011 \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "alias": "Updated Production Key",
    "ip_whitelist": ["*"],
    "vault_access": false,
    "expires_at": null,
    "is_enabled": false
  }'

Parameters

Section titled “Parameters”
NameInTypeRequiredDescription
idpathstringYesUnique identifier of the token to update

Request Body

Section titled “Request Body”
FieldTypeRequiredDescription
aliasstringNoUser-friendly alias. Allowed characters: letters, numbers, spaces, underscores, hyphens.
public_keystring | nullNoED25519 public key (64 hex chars) or null to clear.
public_storageobject | nullNoPublic JSON profile storage (max 64KB) or null to clear.
ip_whitelistarray | stringNoArray of IPv4 addresses/CIDR ranges, comma-separated string, or * wildcard.
permissionsobjectNoFine-grained permission map. Missing paths default to false.
realm_idsarrayNoRealm IDs to restrict this token to.
allow_no_realmbooleanNoWhether the token can be used without a realm scope.
vault_accessbooleanNoWhether the token can access user vault endpoints.
event_accessbooleanNoWhether the token can access event streams and event history.
expires_atstring | number | nullNoISO 8601 date, Unix timestamp, today, tomorrow, or null for non-expiring.
is_enabledbooleanNoEnable or disable the token.
otp_codestringNoTOTP code (6 digits) or backup code (10 alphanumeric). Required if 2FA is enabled and authenticating via JWT.

Response

Section titled “Response”
{
  "statusCode": 200,
  "message": "Auth token updated successfully",
  "data": {
    "id": "507f1f77bcf86cd799439011",
    "alias": "Updated Production Key",
    "prefix": "hdy_",
    "ip_whitelist": ["*"],
    "realm_ids": [],
    "allow_no_realm": true,
    "permissions": {
      "containers": { "read": true }
    },
    "expires_at": null,
    "is_enabled": false,
    "vault_access": false,
    "event_access": true,
    "last_used_at": "2025-10-28T12:00:00.000Z",
    "last_used_ip": "198.51.100.1",
    "created_at": "2025-01-15T10:30:00.000Z",
    "updated_at": "2025-01-15T14:45:00.000Z"
  }
}

Update current auth token public profile

Section titled “Update current auth token public profile”

Updates the current auth token’s public_key and public_storage payload. Requires the resources.auth_token_public_profile permission on the auth token.

Terminal window
curl -X PATCH https://api.hoody.icu/api/v1/auth/tokens/me/public-profile \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "public_key": "a1b2c3d4e5f6789012345678901234567890abcdefabcdefabcdefabcdef1234",
    "public_storage": {
      "username_hint": "acme-team",
      "avatar": "https://cdn.example.com/avatar.png"
    }
  }'

Request Body

Section titled “Request Body”
FieldTypeRequiredDescription
public_keystring | nullNoED25519 public key (64 hex chars) or null to clear.
public_storageobject | nullNoPublic JSON profile storage (max 64KB) or null to clear.

At least one of public_key or public_storage must be provided.

Response

Section titled “Response”
{
  "statusCode": 200,
  "message": "Public profile updated successfully",
  "data": {
    "id": "507f1f77bcf86cd799439011",
    "alias": "External Customer Token",
    "prefix": "hdy_",
    "public_key": "a1b2c3d4e5f6789012345678901234567890abcdefabcdefabcdefabcdef1234",
    "public_storage": {
      "username_hint": "acme-team",
      "avatar": "https://cdn.example.com/avatar.png"
    },
    "ip_whitelist": ["*"],
    "realm_ids": ["507f1f77bcf86cd799439012"],
    "allow_no_realm": false,
    "permissions": {
      "containers": { "read": true }
    },
    "expires_at": null,
    "is_enabled": true,
    "vault_access": false,
    "event_access": true,
    "last_used_at": null,
    "last_used_ip": null,
    "created_at": "2025-01-15T10:30:00.000Z",
    "updated_at": "2025-01-15T15:00:00.000Z"
  }
}

Delete auth token

Section titled “Delete auth token”

Deletes an auth token. Once deleted, the token can no longer be used for authentication.

Terminal window
curl -X DELETE https://api.hoody.icu/api/v1/auth/tokens/507f1f77bcf86cd799439011 \
  -H "Authorization: Bearer <token>"

Parameters

Section titled “Parameters”
NameInTypeRequiredDescription
idpathstringYesUnique identifier of the token

Response

Section titled “Response”
{
  "statusCode": 200,
  "message": "Auth token deleted successfully"
}