DiffHook/Docs
API ReferenceAuthentication

Authentication

All DiffHook API requests must be authenticated with an API key.

API keys

API keys start with dh_live_ followed by a random string. They grant full access to your team's resources — treat them like passwords.

Get your keys at App → Settings → API Keys.

Making authenticated requests

Pass your key as a Bearer token in the Authorization header:

curl https://www.diffhook.com/api/monitors \
  -H "Authorization: Bearer dh_live_yourkey"

Error responses

Requests with a missing or invalid key return 401 Unauthorized:

{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Missing or invalid Authorization header"
  }
}

An expired or revoked key returns:

{
  "error": {
    "code": "INVALID_API_KEY",
    "message": "This API key has been revoked"
  }
}

Security best practices

  • Never commit API keys to source control
  • Use environment variables (DIFFHOOK_API_KEY=dh_live_...) in all environments
  • Rotate keys immediately if one is leaked — old keys can be revoked in Settings
  • Create separate keys for production and development

Key rotation

To rotate a key without downtime:

  1. Generate a new key in Settings
  2. Deploy your app with the new key
  3. Revoke the old key once traffic has shifted