Skip to content
Get started

Authentication

The Restore Hub API uses bearer-token authentication. Mint a scoped API key in your dashboard, send it on every request, and rotate or revoke as needed.

Bearer scheme

Send your key in the Authorization header on every request. Keys start with the rh_ prefix and are 40+ characters of opaque base62.

Authorization: Bearer rh_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Mint a key

Open /dashboard/api-keys in the dashboard. Click Create key, give it a name, and pick the scopes you need. The full key value is shown once at creation — copy it before closing the dialog. Restore Hub stores only a hash, so a lost key cannot be recovered.

One key per use. Mint separate keys for production scripts, CI, local development, and AI agents. If one is compromised you rotate just that one.

Scopes

Scopes follow the resource:action format. They're split into three tiers so you can give an agent or script the smallest possible footprint.

Read scopes (23)

Safe by default. List, get, and search operations only.

account:readads:readalerts:readanalytics:readapi-keys:readaudit:readbackups:readbilling:readblacklist:readbots:readdiscord:readdomains:readfirewall:readmarketplace:readmembers:readpanels:readreferrals:readservers:readteams:readtemplates:readverify-page:readwhitelist:readwidget:read

Write scopes (23)

Mutate state but never destroy or exfiltrate data permanently.

account:linkaccount:writeads:writealerts:writeapi-keys:writebackups:writebilling:writeblacklist:writebots:writedomains:writefirewall:writemarketplace:writemembers:mass-verifymembers:massdmmembers:writepanels:writeservers:writeteams:writetemplates:writeupload:writeverify-page:writewhitelist:writewidget:write

Destructive scopes (7)

These either pull members across servers, restore backups (overwriting current state), delete records, or move money. Treat them like nuclear codes.

account:deletebackups:restorebots:deletemarketplace:payoutmembers:pullservers:deletetemplates:apply

Wildcard scope

Granting * grants every scope, including destructive ones. Don't use this for agents or third-party integrations. Reserve it for trusted owner-controlled infrastructure.

When a scope is missing

The API returns 403 Forbidden with an explicit error message and the scope that was needed:

{
  "error": "Missing required scope: backups:restore",
  "requiredScope": "backups:restore",
  "yourScopes": ["servers:read", "backups:read"]
}

Rotation & revocation

Revoke a key from /dashboard/api-keys. Revocation is immediate — in-flight requests with that key will return 401 within seconds. For rotation, mint the new key first, deploy it, then revoke the old key once you've confirmed traffic moved over.

Rate limits

Each plan has its own per-minute budget. See Rate Limits for the exact numbers and the response headers you should watch.

Authenticated request examples

curl https://api.restorehub.net/api/v1/account \
  -H "Authorization: Bearer rh_YOUR_KEY"

Previous

Quickstart

Next

AI Agents

Authentication — Restore Hub API | Restore Hub