Authentication
Hiras uses a single bearer token — the API key — to authenticate every request except the health check. There are no accounts, no OAuth, and no login server.
The API key
On first launch Hiras generates one key, stored in Android’s Keystore-backed secure storage. It looks like this:
sk_local_xxxxxxxxxxxxxxxxxxxxxxxx
The sk_local_ prefix is a reminder of what it is: a local secret key. It never leaves
your devices — Hiras has no server to send it to.
Using it
Send the key as a bearer token on every request:
curl http://<phone-ip>:8080/api/host/info \
-H "Authorization: Bearer sk_local_xxxxxxxxxxxxxxxxxxxxxxxx"
A missing, malformed, or duplicated Authorization header is treated as unauthorized:
{ "error": "Unauthorized" }
The one exception is GET /health, which needs no key (it is still local-network guarded).
Copying the key to a client
After you tap Start, the app shows the LAN URL and the key, and a QR code that encodes both — scan it to configure a companion client in one step, rather than typing the key by hand.
Regenerating
You can regenerate the key from the app at any time. Regenerating immediately invalidates
the old key, so any client still using it will start getting 401 responses — update your
clients with the new key.
By design: one key
Hiras issues a single key. There are deliberately no multiple keys, scopes, roles, or expiry — that is the kind of enterprise complexity Hiras exists to avoid. One phone, one key, regenerate when you need to.
Note on transport
On the local network the API is served over plain HTTP, not HTTPS, so treat the key like any LAN secret. For inbound webhooks the key is never transmitted — messages are signed with an HMAC instead, so the send-capable key is never exposed over the wire. See Webhooks for how that signature works.
Next
- REST API — every endpoint.
- Getting started — from install to first message.