Authentication
Every metered endpoint requires an API key in the Authorization header:
curl https://api.hyperinfer.ai/api/v1/chat/completions \
-H "Authorization: Bearer $HYPERINFER_API_KEY" \
...GET /api/v1/models and health endpoints are the only unauthenticated routes.
API keys
Keys belong to a workspace and are created in the platform dashboard by workspace Admins and Editors.
- The key material (prefix
hi-…) is shown exactly once at creation. It is stored as a SHA-256 hash — we cannot recover it. Afterwards a key is identified by its prefix and last four characters. - Keys are either workspace-assigned (shared) or assigned to a specific member.
- Keys can be disabled or revoked at any time; either takes effect on the next request (propagation across API instances within 30 seconds).
- A missing, malformed, disabled, revoked, or expired key fails with
invalid_api_key(HTTP 401) — see Errors.
Spend limits
Each key can carry up to three independent spend limits, denominated in credit-USD:
| Limit | Resets |
|---|---|
| Daily | Every day at 00:00 UTC |
| Monthly | 1st of each month at 00:00 UTC |
| Total | Never — an Admin/Editor can reset it manually (audit-logged) |
When a limit is reached, requests fail with key_limit_exceeded (HTTP 402) until the
limit resets or is raised. Current usage against each limit is always visible in the
dashboard. Limits are enforced globally across all API instances.
Model pinning
A key may carry an allowlist of model slugs. The default is no list = all models
allowed. Requests for a model that is not on the key’s list fail with
model_not_allowed (HTTP 403).
Key allowlist: ["anthropic/claude-sonnet-4.5"]
Request model: "openai/gpt-4o-mini" → 403 model_not_allowedWorkspace balance
Admission also requires the workspace to have a positive credit balance (or
invoicing mode enabled). Requests against an empty workspace fail with
insufficient_credits (HTTP 402) — see Usage & Credits.
One-time playground keys
The interactive playground on the API Reference pages does not use
your stored keys. When you are signed in, it mints a one-time key bound to your
user and chosen workspace with a 10-minute TTL, hard-purged at expiry, and
rate-limited minting. Playground calls are real: real usage, real billing, labeled
source=playground in your usage events.
Treat API keys like passwords: keep them server-side, never commit them, and rotate (revoke + recreate) any key that may have leaked.