> ## Documentation Index
> Fetch the complete documentation index at: https://docs.hyperwisor.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Manufacturer API Overview

> The authenticated REST API behind the dev interfaces — base URL, auth, and endpoint groups.

The Manufacturer API is the authenticated REST surface that powers the dev
interfaces (the app-starter, integrations, and your own tooling). It's
key-authenticated and rate-limited.

## Base URL

All requests go through the Hyperwisor worker gateway:

```
https://hyperwisor.nikolaindustry.workers.dev
```

Endpoint paths in this reference are relative to that base.

## Authentication

Every request requires two headers — a public API key and a secret key:

```
x-api-key: mk_...
x-secret-key: msk_...
```

<Warning>
  The `msk_` secret key is privileged. Never embed it in a client app or browser
  bundle — keep it on a server you control. See [Authentication](/api/authentication).
</Warning>

## Rate limiting

Requests are rate-limited per API key (per-minute). Exceeding the limit returns
`429 Too Many Requests`.

## Endpoint groups

| Group                         | Covers                                                    |
| ----------------------------- | --------------------------------------------------------- |
| [Products](/api/products)     | List, create, update, delete products                     |
| [Devices](/api/devices)       | List devices, device commands, send commands, sensor data |
| [Database](/api/database)     | Schemas, tables, and runtime data CRUD                    |
| [Onboarding](/api/onboarding) | QR scan, register/list/remove user devices                |

The API also exposes **dashboard**, **rules**, **analytics**, and **auth**
endpoint groups (e.g. `GET /products/{id}/dashboard`, `GET /rules`,
`GET /analytics/devices`, `POST /auth/signin`). These follow the same auth and
conventions.

## Errors

Errors return a JSON body with an `error` (and often a `message`):

```json theme={null}
{ "error": "Missing API credentials", "message": "Both x-api-key and x-secret-key headers are required." }
```

| Status | Meaning                        |
| ------ | ------------------------------ |
| 401    | Missing or invalid credentials |
| 429    | Rate limit exceeded            |
| 404    | Endpoint or resource not found |
| 500    | Server error                   |

<Card title="Authentication" icon="key" href="/api/authentication">
  Keys, headers, and the secret-key rule.
</Card>