Authentication
Hyponema uses different credentials for different surfaces.
Workspace API keys
Section titled “Workspace API keys”Workspace API keys authenticate server-to-server API calls.
Authorization: Bearer $HYPONEMA_API_KEYUse them from your backend only. Do not put workspace API keys in browser code, mobile apps, or public repositories.
Signed session tokens
Section titled “Signed session tokens”POST /sessions returns signed URLs and a signed token. These are safe to pass to the browser because they are short-lived and scoped to a single session.
Signed session tokens bind:
- Agent ID.
- User ID.
- Workspace ID.
- Dynamic variable hash.
- Expiration time.
- Session ID.
Dashboard auth
Section titled “Dashboard auth”The dashboard uses magic-link sign-in, access cookies, and refresh cookies. This is separate from workspace API keys and signed session tokens.