Authentication
Hexclave uses different authentication patterns depending on whether you’re making requests from client-side code (browser, mobile app) or server-side code (your backend).Client-Side Authentication
For requests from browsers, mobile apps, or other client-side environments:Server-Side Authentication
For requests from your secure backend server:Authentication Headers
| Header | Type | Used In | Description |
|---|---|---|---|
X-Stack-Access-Type | "client" | "server" | Both | Required. Use "client" for frontend/browser requests, "server" for backend requests. |
X-Stack-Project-Id | UUID | Both | Required. Your project ID from the Stack dashboard. |
X-Stack-Publishable-Client-Key | string | Client only | Required for client access. Safe to expose in frontend code. Starts with pck_. |
X-Stack-Secret-Server-Key | string | Server only | Required for server access. Never expose in client code. Starts with ssk_. |
X-Stack-Access-Token | string | Client only | Optional. The current user’s access token. Used to act on behalf of a specific user. |
To set up a backend in JavaScript, Python, or another language using the REST
API, see Setup.
Getting Started
Set up authentication
Configure the appropriate authentication method (sessions, API keys, or
webhook verification).
FAQ
Which languages are supported?
Which languages are supported?
Any language that has the ability to send HTTP requests can use the Stack REST API. This includes JavaScript, Python, Ruby, Java, Go, C#, Dart, and many more.
Should I use client or server access type?
Should I use client or server access type?
Client access type (
X-Stack-Access-Type: client) is for client-side applications like browsers and mobile apps. Client APIs can only read and update the currently authenticated user’s data. Use your publishable client key (pck_...) - it’s safe to include in frontend code.Server access type (X-Stack-Access-Type: server) is for your secure backend server. It has full access over all user data using your secret server key (ssk_...).Never use server access type or secret server keys in client-side code, browser requests, or any publicly accessible location. Always keep server keys secure on your backend.For more information, see the HexclaveClientApp and HexclaveServerApp SDK reference.What is this 'admin' access type that I see?
What is this 'admin' access type that I see?
If you’d like to build your own version of the Stack dashboard (or update project configuration programmatically), you can use the
admin access type. These endpoints are very dangerous and you should only use them if you know what you’re doing.For more information, see the HexclaveClientApp and HexclaveServerApp SDK reference.How do I handle API errors?
How do I handle API errors?
Hexclave API returns standard HTTP status codes. Common error responses include:
400 Bad Request- Invalid request parameters401 Unauthorized- Invalid or missing authentication403 Forbidden- Insufficient permissions404 Not Found- Resource not found429 Too Many Requests- Rate limit exceeded500 Internal Server Error- Server error
Are there rate limits?
Are there rate limits?
Yes, Hexclave implements rate limiting to ensure fair usage and system stability. Rate limits vary by endpoint and access type. When you exceed the rate limit, you’ll receive a
429 Too Many Requests response with headers indicating when you can retry.Need Help?
Getting Started Guide
Check the Getting Started Guide for initial setup.
Documentation
Visit the Concepts section for Hexclave fundamentals.
Discord Community
Join the Discord community for support and discussions.