Authentication
All Gate and Public endpoints require an API key withauth permission. Send it in the X-API-Key header:
Base URLs
Replace{project_id} with your project’s UUID.
| Surface | Base URL | Protection |
|---|---|---|
| Gate API | https://org-api.hexoforge.dev/api/v1/gate/{project_id}/auth | Cloudflare Worker (DDoS, firewall, IP rules, rate limits) |
| Public API | https://org-api.hexoforge.dev/api/v1/pub/{project_id}/auth | Backend-only (IP rules, firewall, rate limits) |
| JWKS | https://org-api.hexoforge.dev/api/v1/pub/{project_id}/.well-known/jwks.json | No API key or Bearer |
Rate limiting
Every endpoint is rate-limited. Default limits are configurable per project:| Category | Default limit | Applied to |
|---|---|---|
login | 10 requests per minute per IP | /login, /login/totp |
register | 5 requests per minute per IP | /register |
password_reset | 5 requests per minute per IP | /forgot-password, /reset-password |
general | 30 requests per second per IP | All other endpoints |
429 Too Many Requests with IETF-compliant headers: