Authentication

The Hypemarket API uses personal access tokens (PATs). A token is bound to a single user; the same token works across every organization that user belongs to.

Creating a token (web UI)

Sign in at hypemarket.ai
Navigate to Account → API access tokens (or visit /me/access_tokens)
Click New token, give it a description (e.g. “My laptop script”) and choose a permission:
- Read-only — GET and HEAD requests only
- Read and write — all verbs

Creating a token (API)

You can also mint tokens programmatically once you already have a write-scoped token:

POST /me/access_tokens.json
Authorization: Bearer <existing-token>
Content-Type: application/json

{ "access_token": { "description": "CI script", "permission": "write" } }

Response (201 Created):

{
  "id": "kRpMnX",
  "token": "Xy3kPq...",
  "description": "CI script",
  "permission": "write",
  "created_at": "2026-05-05T08:00:00Z"
}

Using a token

Send it as a Bearer header on every JSON request:

curl -H "Authorization: Bearer <your-token>" \
     -H "Accept: application/json" \
     https://hypemarket.ai/me/social_accounts.json

The .json suffix or Accept: application/json header selects JSON. Using both is fine; without either one the same endpoint falls back to HTML behavior.

Revoking a token

DELETE /me/access_tokens/:id.json
Authorization: Bearer <your-token>

Requires a write-scoped token. Returns 204 No Content. Subsequent requests using the revoked token will fail with 401 Unauthorized.

Listing your tokens

GET /me/access_tokens.json
Authorization: Bearer <your-token>

Permissions in practice

A read token attempting any non-GET/HEAD request returns:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Token realm="Application"

The response body is not guaranteed to be JSON. To upgrade, create a new write-scoped token; tokens are not editable in place.