All API endpoints except GET /v0/health require authentication. Harmstack uses API key authentication via the standard HTTP Authorization header.
Get your API key
Contact Vetted Medical or your account team to obtain an API key. Store it securely — you will not be able to retrieve the key value after it is issued.
Authenticate a request
Include your API key as a bearer token in the Authorization header of every request:
Authorization: Bearer YOUR_API_KEY
Examples
curl https://api.harmstack.com/v0/me \
-H "Authorization: Bearer YOUR_API_KEY"
Error responses
If authentication fails, the API returns 401 Unauthorized:
{"error": "unauthorized"}
- The
Authorization header is missing entirely
- The header value does not start with
Bearer
- The API key is invalid or has been revoked
Using the CLI
The harmstack CLI reads your API key from the HARMSTACK_API_KEY environment variable. You can also pass it explicitly with the --harmstack-api-key flag on any command.
Security
Store your API key in an environment variable (HARMSTACK_API_KEY) and read it at runtime. Never hardcode your API key directly in source code or commit it to version control.
