Master API key

When hosting your own instance, it is possible to setup a master API key. This is a special token that can be used to authenticate almost any API call instance-wide, unlike JWTs and application secrets that are scoped respectively to an organization and to an application.


Events ingestion requires an application secret

The only endpoint that cannot be used with the master API key is the events ingestion endpoint which only works with application secrets.

You can of course use the master API to create everything including an application secret, and then use this application secret to send events.

Enabling the master API key on your instance

By default, this feature is disabled. If you want to enable it, you need to define the MASTER_API_KEY environment variable with a UUID value when running Hook0's API.


Please note that the master API is basically a huge backdoor. Anyone that have access to it can have full control of your Hook0 instance, regardless of internal organizations/permissions.

We provide this feature to help you setup your instance more easily in some scenarios. You should disable it as soon as it is not needed anymore by restarting Hook0's API with the MASTER_API_KEY environment variable unset.

Using the master API key to authenticate API calls

Like any other authentication method, the master API key must be included in HTTP requests using a header:

Authorization: Bearer [token]