Skip to main content
The Manufacturer API is the authenticated REST surface that powers the dev interfaces (the app-starter, integrations, and your own tooling). It’s key-authenticated and rate-limited.

Base URL

All requests go through the Hyperwisor worker gateway: 
https://hyperwisor.nikolaindustry.workers.dev
Endpoint paths in this reference are relative to that base.

Authentication

Every request requires two headers — a public API key and a secret key: 
x-api-key: mk_...
x-secret-key: msk_...
The msk_ secret key is privileged. Never embed it in a client app or browser bundle — keep it on a server you control. See Authentication.

Rate limiting

Requests are rate-limited per API key (per-minute). Exceeding the limit returns 429 Too Many Requests.

Endpoint groups

GroupCovers
ProductsList, create, update, delete products
DevicesList devices, device commands, send commands, sensor data
DatabaseSchemas, tables, and runtime data CRUD
OnboardingQR scan, register/list/remove user devices
The API also exposes dashboard, rules, analytics, and auth endpoint groups (e.g. GET /products/{id}/dashboard, GET /rules, GET /analytics/devices, POST /auth/signin). These follow the same auth and conventions.

Errors

Errors return a JSON body with an error (and often a message): 
{ "error": "Missing API credentials", "message": "Both x-api-key and x-secret-key headers are required." }
StatusMeaning
401Missing or invalid credentials
429Rate limit exceeded
404Endpoint or resource not found
500Server error

Authentication

Keys, headers, and the secret-key rule.