Authentication

The Hypemarket API uses personal access tokens (PATs). A token is bound to a single user; the same token works across every organization that user belongs to.

Creating a token (web UI)

1. Sign in at hypemarket.ai
2. Navigate to Account → API access tokens (or visit /me/access_tokens)
3. Click New token, give it a description (e.g. “My laptop script”) and choose a permission:
   • Read-only — GET and HEAD requests only
   • Read and write — all verbs

One-time view

The token is shown once. Copy it immediately — you cannot retrieve it again. Lost a token? Revoke it and create a new one.

Creating a token (API)

You can also mint tokens programmatically once you have any existing token:

POST /me/access_tokens.json
Authorization: Bearer <existing-token>
Content-Type: application/json

{ "access_token": { "description": "CI script", "permission": "write" } }

Response (201 Created):

{
  "id": 42,
  "token": "Xy3kPq...",
  "description": "CI script",
  "permission": "write",
  "created_at": "2026-05-05T08:00:00Z"
}

Using a token

Send it as a Bearer header on every JSON request:

curl -H "Authorization: Bearer <your-token>" \
     -H "Accept: application/json" \
     https://hypemarket.ai/me/social_accounts.json

The Accept: application/json header is required — without it the same endpoint returns HTML.

Revoking a token

DELETE /me/access_tokens/:id.json
Authorization: Bearer <your-token>

Returns 204 No Content. Subsequent requests using the revoked token will fail with 401 Unauthorized.

Listing your tokens

GET /me/access_tokens.json
Authorization: Bearer <your-token>

Note

Tokens themselves are not returned by this endpoint — only their metadata (id, description, permission, last used). The plaintext token is only visible at creation time.

Permissions in practice

A read token attempting any non-GET/HEAD request returns:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Token realm="Application"

To upgrade, create a new write-scoped token; tokens are not editable in place.