Authentication

API Key Authentication

All API requests must include your account API key in the Authorization header using the Bearer token scheme:

Authorization: Bearer flp_your_api_key_here

Note that connecting your own Cryptohopper account to a project is done over OAuth, not with these keys — see Connecting Your Cryptohopper Account. Account API keys are only for calling the Cryptohopper.AI API.

Creating API Keys

Go to Account → API Keys in your Cryptohopper.AI dashboard to create and manage API keys.

• Each account can have up to 5 active API keys
• Keys are shown only once at creation — store them securely
• Keys can be revoked at any time from the dashboard
• All keys start with the prefix flp_

For a step-by-step walkthrough see Managing API Keys.

Key Security

• Never share your API keys or commit them to version control
• Use environment variables to store keys in your applications
• Rotate keys regularly and revoke unused keys
• Each key has its own rate limit bucket

Rate Limits

API endpoints have the following rate limits per API key:

Rate limit information is included in response headers: X-RateLimit-Remaining and X-RateLimit-Reset. A request over the limit returns 429 RATE_LIMITED.

Verify Authentication

GET /api/v1/user/me

Use this endpoint to confirm your API key is valid. It returns the authenticated user's profile and is the standard “test your auth” call.

curl https://www.cryptohopper.ai/api/v1/user/me \
  -H "Authorization: Bearer flp_your_api_key_here"

Response (200):

{
  "data": {
    "id": "user_abc123",
    "name": "Your Name",
    "role": "user",
    "source": "api_key"
  }
}

• role — "user" for normal accounts.
• source — how the request was authenticated; "api_key" for programmatic credentials.

A 401 UNAUTHORIZED here means the key is missing, revoked, or malformed. A 403 FORBIDDEN means the account exists but lacks the active Hero subscription that gates API access (see Requirements in the API Overview).

You can also check your current plan and credit balance with GET /api/v1/user/plan.

Programmatic API Key Management

Most users create keys from the dashboard, but the same surface is available over the API for orchestration scenarios — rotating a key from a CI job, listing keys to audit usage, or revoking a leaked key without a UI round-trip.

List API Keys

GET /api/v1/api-keys

Returns metadata for every active (non-revoked) key on the account. Plaintext key material is never returned — only the keyPrefix (the first 8 hex chars of the key, prefixed with flp_).

{
  "data": {
    "keys": [
      {
        "id": "key_abc",
        "name": "ci-deploy",
        "keyPrefix": "flp_a1b2c3d4",
        "lastUsedAt": "2026-04-24T18:30:00Z",
        "createdAt": "2026-04-01T12:00:00Z"
      }
    ]
  }
}

Create API Key

POST /api/v1/api-keys

{
  "name": "ci-deploy"    // required, 1-100 chars
}

Response (201):

{
  "data": {
    "id": "key_xyz",
    "rawKey": "flp_a1b2c3d4…full-40-hex…",
    "keyPrefix": "flp_a1b2c3d4"
  }
}

The rawKey is shown only once— subsequent reads return only the keyPrefix. Store it immediately. Each account is capped at 5 active keys; if you hit the cap the request returns 409 LIMIT_EXCEEDED— revoke an unused key first.

Creating a key requires an active Hero subscription. A request from a non-Hero account returns 403 FORBIDDEN with message “Creating API keys requires the Hero plan”.

Revoke API Key

DELETE /api/v1/api-keys/{keyId}

Pass the key's id (e.g. key_xyz) as the path parameter. The key is invalidated immediately — in-flight requests already on a worker may complete, but no new requests will authenticate.

Response (200):

{ "data": { "success": true } }

• Self-revocation is blocked. Calling DELETE with the same key making the request returns 400 VALIDATION_ERROR — this stops a script from cutting itself off mid-call. Use a different key, or revoke from the dashboard.
• Unknown or already-revoked keys return 404 NOT_FOUND.

A revoked key cannot be restored; create a new one to replace it. Revocation is recorded in the audit log shown on Account → API Keys.