Authenticatie
Manage API keys, rotate credentials, and integrate OAuth flows for secure access to the HookCheck API.
Generate and rotate API keys
Every HookCheck workspace ships with a default API key (hc_live_ prefix for production, hc_test_ for sandbox). Use the Dashboard → Settings → API Keys panel to create scoped keys for specific endpoints, rotate compromised credentials, and audit usage history.
New keys are generated server-side and never transmitted in plain text over the wire. Each key carries a unique UUID suffix (e.g., hc_live_8f3a2b1c-4d9e-4170-9c6f-a3e5d7b2f011) and can be limited to read-only, write, or admin scope. Rotating a key instantly invalidates the old token while preserving all associated webhook endpoints and logs.
Create a new key
Navigate to Settings → API Keys, click "Generate Key", select scope (read/write/admin), and confirm. The key is shown once — copy it immediately into your environment variables or secret manager.
Rotate a key
Click "Rotate" next to any active key. A new key is issued instantly; the old key expires after a 15-minute grace window. All in-flight requests using the old key receive a 401 Unauthorized response after the grace period.
Revoke a key
Permanently delete a key by clicking "Revoke". Revocation is immediate and irreversible. Any webhook endpoint or integration still referencing the revoked key will fail with 401 until updated.
Protect your credentials
HookCheck enforces HTTPS-only communication for all API calls. Authentication is handled via the Authorization: Bearer <api-key> header. Never embed keys in client-side JavaScript, public repositories, or webhook payload bodies.
Rate limits are applied per key: 120 requests per minute for standard plans, 600 requests per minute for Enterprise. Exceeding the limit returns 429 Too Many Requests with a Retry-After header. All authentication events — successful logins, failed attempts, key rotations — are logged in the Audit Trail with ISO 8601 timestamps and originating IP addresses.
Store keys in environment variables
Use HOOCCHECK_API_KEY in your deployment environment. Docker, Vercel, AWS Secrets Manager, and HashiCorp Vault all support injecting secrets at runtime without hardcoding them into source files.
Use scoped keys per service
Create separate keys for your CI pipeline, staging environment, and production service. A read-only key for your monitoring dashboard limits blast radius if the key is accidentally exposed in log output.
Enable IP allowlists (Enterprise)
Enterprise plans support IP-based restrictions per key. Lock a key to your VPS subnet (e.g., 203.0.113.0/24) so requests from unauthorized origins are rejected before authentication is even evaluated.
Connect third-party services via OAuth 2.0
HookCheck supports OAuth 2.0 authorization code flow for ingesting webhooks from platforms like Stripe, GitHub, and Slack without exposing your HookCheck API key to those services. Configure an OAuth connection in Settings → Integrations → OAuth, then map incoming webhook events to your HookCheck endpoints.
When a configured OAuth provider sends a webhook, HookCheck validates the signature using the provider's shared secret, exchanges the authorization code for an access token, and routes the payload to the correct endpoint. The access token is cached for 3600 seconds and refreshed automatically before expiry. Failed token refreshes trigger an alert to your configured notification channel (email or Slack).
Supported providers
Stripe, GitHub, Slack, Shopify, Twilio, and SendGrid are supported out of the box. Custom OAuth 2.0 providers can be configured with a client ID, client secret, authorization URL, and token URL.
Token lifecycle management
Access tokens are stored encrypted at rest using AES-256-GCM. Refresh tokens are rotated on each use. Expired or revoked tokens are detected within 60 seconds and the affected integration is flagged in the Dashboard.