Authentication
PushWard uses Bearer token authentication. When you sign in with Apple ID, a default integration key (hlk_) is automatically created -- copy it from the app's settings to start using the API immediately. You can also create additional scoped integration keys for individual services.
Token Format
Tokens follow a prefix + 32 base62 characters (~36 characters total). Only the SHA-256 hash is stored server-side -- tokens cannot be recovered if lost.
Authorization: Bearer hlk_aBcDeFgHiJkLmNoPqRsTuVwXyZ012345 Warning
API tokens and integration keys are shown only once when created. Store them securely -- they cannot be recovered if lost.
Token Types
| Prefix | Type | Scope |
|---|---|---|
hla_ | API Token | Full access to all endpoints |
hlk_ | Integration Key | Configurable: activity:update (default) or activity:manage |
Endpoints
GET
/auth/meGet the current user's profile, activity count, and subscription status.
Response:
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"nickname": "Alice",
"activity_count": 3,
"subscribed": true
}Access Control
| Access Level | Endpoints |
|---|---|
| No auth | GET /health |
hlk_ with activity:update | PATCH /activity/{slug} (owned activities only), GET /activities, GET /activities/{slug}, GET /auth/me |
hlk_ with activity:manage | All of the above, plus POST /activities, DELETE /activities/{slug} |
Full access only (hla_) | Integration key management, activity sharing, account operations |