Skip to content

The API Tokens API provides programmatic access to create, manage, and inspect long-lived authentication tokens on the Hoody platform. Use these endpoints to mint tokens with fine-grained permissions, restrict them by IP or realm, rotate secrets by copying, and enforce 2FA verification on sensitive operations. Token values are only returned once at creation or copy time and are never retrievable afterwards.

List all auth tokens for the authenticated user. Token values are never included in the response.

This endpoint takes no parameters.

Terminal window
curl -X GET https://api.hoody.com/api/v1/auth/tokens \
-H "Authorization: Bearer <token>"

Get details of a specific auth token. The token value is not included.

NameInTypeRequiredDescription
idpathstringYesUnique identifier of the token
Terminal window
curl -X GET https://api.hoody.com/api/v1/auth/tokens/507f1f77bcf86cd799439011 \
-H "Authorization: Bearer <token>"

Return metadata, permissions, and realm restrictions for the currently authenticated auth token. This endpoint is allowed on the base api.hoody.com domain for realm-scoped tokens to bootstrap realm discovery.

This endpoint takes no parameters.

Terminal window
curl -X GET https://api.hoody.com/api/v1/auth/tokens/me \
-H "Authorization: Bearer <token>"

Create a new long-term authentication token with optional IP restrictions, realm restrictions, expiration, and a fine-grained permission set.

This endpoint takes no path, query, or header parameters.

FieldTypeRequiredDescription
aliasstringNoUser-friendly alias. Allowed characters: letters, numbers, spaces, underscores, hyphens (max 254). If omitted, a random animal name is generated.
public_keystring | nullNoOptional ED25519 public key as 64-character hexadecimal string. Pass null to clear.
public_storageobject | nullNoArbitrary public JSON profile object (max 64KB serialized). Pass null to clear.
ip_whitelistarray | stringNoIP allowlist. Accepts an array of IPv4 addresses/CIDR ranges, a comma-separated string, or "*" wildcard. Defaults to "*".
permission_templatestringNoPermission template name. If provided, takes precedence over permissions. One of: full_access, external_customer, dev_team, finance_team, read_only.
permissionsobjectNoFine-grained permissions. Any missing permission path defaults to false (deny).
realm_idsarrayNoRealm IDs this token is restricted to. If provided, the token can only be used on these realm subdomains.
allow_no_realmbooleanNoWhether the token can be used without a realm scope. Defaults to true. Set to false for strict sub-account tokens.
vault_accessbooleanNoWhether the token can access vault endpoints. Defaults to false.
event_accessbooleanNoWhether the token can access event streams and event history. Defaults to true.
expires_atstring | numberNoExpiration as ISO 8601 timestamp, Unix timestamp (seconds or milliseconds), "today", or "tomorrow". Omit for a non-expiring token.
otp_codestringNoTOTP code (6 digits) or backup code (10 alphanumeric). Required if 2FA is enabled on the account.
Terminal window
curl -X POST https://api.hoody.com/api/v1/auth/tokens \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"alias": "Production API Key",
"public_key": "a1b2c3d4e5f6789012345678901234567890abcdefabcdefabcdefabcdef1234",
"public_storage": {
"display_name": "Production Integrations",
"tier": "gold"
},
"ip_whitelist": ["192.168.1.0/24", "10.0.0.1"],
"vault_access": true,
"expires_at": 1767225599000
}'

Update an existing auth token. Any field omitted from the request body is left unchanged. Provide null to clear expires_at, public_key, or public_storage.

NameInTypeRequiredDescription
idpathstringYesUnique identifier of the token to update
FieldTypeRequiredDescription
aliasstringNoNew token alias (letters, numbers, spaces, underscores, hyphens; max 254)
public_keystring | nullNoNew ED25519 public key (64 hex chars), or null to clear
public_storageobject | nullNoNew public profile payload (max 64KB), or null to clear
ip_whitelistarray | stringNoNew IP allowlist (array, comma-separated string, or *)
permissionsobjectNoReplacement permission set; any omitted path defaults to false (deny)
realm_idsarrayNoReplacement realm restriction list
allow_no_realmbooleanNoWhether the token can be used without a realm scope
vault_accessbooleanNoWhether the token can access vault endpoints
event_accessbooleanNoWhether the token can access event streams and event history
expires_atstring | number | nullNoNew expiration as ISO timestamp, Unix timestamp, today, tomorrow, or null to make non-expiring
is_enabledbooleanNoEnable or disable the token
otp_codestringNoTOTP code (6 digits) or backup code (10 alphanumeric). Required if 2FA is enabled on the account.
Terminal window
curl -X PATCH https://api.hoody.com/api/v1/auth/tokens/507f1f77bcf86cd799439011 \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"alias": "Updated Production Key",
"public_key": "a1b2c3d4e5f6789012345678901234567890abcdefabcdefabcdefabcdef1234",
"public_storage": {
"display_name": "Updated Profile",
"links": { "website": "https://example.com" }
},
"ip_whitelist": ["*"],
"vault_access": false,
"expires_at": null,
"is_enabled": false
}'

Copy an existing auth token’s configuration (permissions, realm restrictions, IP whitelist, public profile) into a new token with a freshly generated secret value. Useful for secret rotation without changing scopes.

NameInTypeRequiredDescription
idpathstringYesUnique identifier of the token to copy
FieldTypeRequiredDescription
aliasstringNoAlias for the copied token (max 254). If omitted, a deterministic alias like "&lt;source&gt; copy" is generated.
expires_atstring | number | nullNoOverride the source expiration. Accepts ISO 8601 timestamp, Unix timestamp, today, tomorrow, or null to make non-expiring.
otp_codestringNoTOTP code (6 digits) or backup code (10 alphanumeric). Required if 2FA is enabled on the account.
Terminal window
curl -X POST https://api.hoody.com/api/v1/auth/tokens/507f1f77bcf86cd799439011/copy \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"alias": "Production API Key Copy"
}'

Permanently delete an auth token. Once deleted, the token can no longer be used for authentication.

NameInTypeRequiredDescription
idpathstringYesUnique identifier of the token
Terminal window
curl -X DELETE https://api.hoody.com/api/v1/auth/tokens/507f1f77bcf86cd799439011 \
-H "Authorization: Bearer <token>"

Realm-scoped tokens are bound to one or more realm IDs. These endpoints add or remove realm bindings without rewriting the rest of the token configuration. Both operations are idempotent: re-adding an existing realm or removing a missing realm returns success without modification.

Atomically add a realm ID to an auth token.

NameInTypeRequiredDescription
idpathstringYesAuth token ID
FieldTypeRequiredDescription
realm_idstringYesRealm ID to add to the token (24-character hex)
otp_codestringNoTOTP code (6 digits) or backup code (10 alphanumeric). Required if 2FA is enabled on the account.
Terminal window
curl -X POST https://api.hoody.com/api/v1/auth/tokens/507f1f77bcf86cd799439011/add-realm \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"realm_id": "507f1f77bcf86cd799439033"
}'

POST /api/v1/auth/tokens/{id}/remove-realm

Section titled “POST /api/v1/auth/tokens/{id}/remove-realm”

Atomically remove a realm ID from an auth token. Idempotent: removing a realm that is not currently bound returns success without modification.

NameInTypeRequiredDescription
idpathstringYesAuth token ID
FieldTypeRequiredDescription
realm_idstringYesRealm ID to remove from the token (24-character hex)
otp_codestringNoTOTP code (6 digits) or backup code (10 alphanumeric). Required if 2FA is enabled on the account.
Terminal window
curl -X POST https://api.hoody.com/api/v1/auth/tokens/507f1f77bcf86cd799439011/remove-realm \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"realm_id": "507f1f77bcf86cd799439033"
}'

Tokens can carry an optional ED25519 public key and an arbitrary JSON profile blob (public_storage, max 64KB). These are resolved via the public key, allowing third parties to look up a token’s public profile without holding the secret.

GET /api/v1/auth/tokens/public-profiles/{public_key}

Section titled “GET /api/v1/auth/tokens/public-profiles/{public_key}”

Resolve and retrieve an auth token public profile by its ED25519 public key.

NameInTypeRequiredDescription
public_keypathstringYesED25519 public key to resolve (64 hex characters)
Terminal window
curl -X GET https://api.hoody.com/api/v1/auth/tokens/public-profiles/a1b2c3d4e5f6789012345678901234567890abcdefabcdefabcdefabcdef1234 \
-H "Authorization: Bearer <token>"

PATCH /api/v1/auth/tokens/me/public-profile

Section titled “PATCH /api/v1/auth/tokens/me/public-profile”

Update the currently authenticated token’s public_key and/or public_storage. Requires the resources.auth_token_public_profile permission on the token. At least one of public_key or public_storage must be provided. Pass null to clear either field.

This endpoint takes no path, query, or header parameters.

FieldTypeRequiredDescription
public_keystring | nullNoNew ED25519 public key (64 hex chars), or null to clear
public_storageobject | nullNoNew public profile payload (max 64KB), or null to clear
Terminal window
curl -X PATCH https://api.hoody.com/api/v1/auth/tokens/me/public-profile \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"public_key": "a1b2c3d4e5f6789012345678901234567890abcdefabcdefabcdefabcdef1234",
"public_storage": {
"username_hint": "acme-team",
"avatar": "https://cdn.example.com/avatar.png"
}
}'