Documentation

Authentication

Hiras uses a single bearer token — the API key — to authenticate every request except the health check. There are no accounts, no OAuth, and no login server.

The API key

On first launch Hiras generates one key, stored in Android’s Keystore-backed secure storage. It looks like this:

sk_local_xxxxxxxxxxxxxxxxxxxxxxxx

The sk_local_ prefix is a reminder of what it is: a local secret key. It never leaves your devices — Hiras has no server to send it to.

Using it

Send the key as a bearer token on every request:

curl http://<phone-ip>:8080/api/host/info \
  -H "Authorization: Bearer sk_local_xxxxxxxxxxxxxxxxxxxxxxxx"

A missing, malformed, or duplicated Authorization header is treated as unauthorized:

{ "error": "Unauthorized" }

The one exception is GET /health, which needs no key (it is still local-network guarded).

Copying the key to a client

After you tap Start, the app shows the LAN URL and the key, and a QR code that encodes both — scan it to configure a companion client in one step, rather than typing the key by hand.

Regenerating

You can regenerate the key from the app at any time. Regenerating immediately invalidates the old key, so any client still using it will start getting 401 responses — update your clients with the new key.

By design: one key

Hiras issues a single key. There are deliberately no multiple keys, scopes, roles, or expiry — that is the kind of enterprise complexity Hiras exists to avoid. One phone, one key, regenerate when you need to.

Note on transport

On the local network the API is served over plain HTTP, not HTTPS, so treat the key like any LAN secret. For inbound webhooks the key is never transmitted — messages are signed with an HMAC instead, so the send-capable key is never exposed over the wire. See Webhooks for how that signature works.

Next