API Reference
API keys
How keys work, and how to create, rotate, and revoke them.
Creating a key
Go to Settings → API & Keys, give the key a name (e.g. “Production” or “Zapier”), and create it. The full key is shown once, copy it immediately, as it can't be retrieved again.
Only the key's hash is stored. If you lose a key, revoke it and create a new one. Keys begin with
hunch_ and grant full read/write access to that workspace.Using a key
Pass it as a Bearer token on every request:
Authorization: Bearer hunch_YOUR_KEYThe same key authenticates both the REST API and the MCP server.
Revoking
Revoke a key from the same settings panel. Revocation is immediate, any integration using that key stops working at once. Revoked keys remain listed for reference but can never be used again.
Best practices
- Use a separate key per integration so you can revoke one without affecting others.
- Store keys in environment variables or a secrets manager, never in client-side code or a repo.
- Rotate periodically: create the new key, switch your integration over, then revoke the old one.