Authentication - Hyperwisor

The Manufacturer API uses two keys, both issued from the manufacturer dashboard:

Key	Prefix	Role
Public API key	`mk_`	Identifies your manufacturer account
Secret key	`msk_`	Authorizes privileged requests

Required headers

Send both on every request:

x-api-key: mk_...
x-secret-key: msk_...

Missing either returns 401:

{
  "error": "Missing API credentials",
  "message": "Both x-api-key and x-secret-key headers are required."
}

Keep the secret key server-side

The msk_ secret key must never ship in a client app, mobile binary, or browser bundle. Anyone who extracts it gains privileged access to your account.

Keep the secret key on a server you control (an edge function / worker) and have your client call that server, not the API directly. The client holds only the public key; your server attaches the secret. The app-starter’s docs/SECURITY.md documents this setup.

Rate limits

Each API key has a per-minute rate limit. Exceeding it returns 429. Back off and retry.

Start calling endpoints

Products: list, create, update, delete.

Manufacturer API Overview Products

⌘I

​Required headers

​Keep the secret key server-side

​Rate limits

Start calling endpoints

Required headers

Keep the secret key server-side

Rate limits