Malin
bc9f96cbd4
- Set Spanish as default language with ephemeral/encrypted privacy focus - Translate all user-facing strings and legal pages to Spanish - Replace Norwegian flag with Spanish flag in footer - Remove Hemmelig/terces.cloud links, add cloudhost.es sponsorship - Rewrite PrivacyPage: zero data collection, ephemeral design emphasis - Rewrite TermsPage: Spanish law, RGPD, paste.es/CloudHost.es references - Update PWA manifest, HTML meta tags, package.json branding - Rename webhook headers to X-Paste-Event / X-Paste-Signature - Update API docs title and contact to paste.es / cloudhost.es Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
4.3 KiB
4.3 KiB
API Documentation
Hemmelig provides a REST API for programmatic access to secret sharing functionality.
Interactive Documentation
The API is documented using OpenAPI 3.0 specification with an interactive Swagger UI:
- Swagger UI:
/api/docs- Interactive API explorer - OpenAPI Spec:
/api/openapi.json- Raw OpenAPI specification
Authentication
Session Authentication
For browser-based access, authenticate through the /auth endpoints provided by better-auth. Session cookies are automatically managed.
API Key Authentication
For programmatic access, create an API key in your account settings under the Developer tab.
Use the API key as a Bearer token in the Authorization header:
curl -H "Authorization: Bearer hemmelig_your_api_key_here" \
https://your-instance.com/api/secrets
Important:
- API keys are shown only once upon creation - store them securely
- Maximum 5 API keys per user
- Keys can optionally expire after 30, 90, or 365 days
- Revoke compromised keys immediately from your account settings
For endpoints requiring admin access, the authenticated user must have the admin role.
Quick Reference
Public Endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/healthz |
Health check |
| POST | /api/secrets |
Create a new secret |
| POST | /api/secrets/:id |
Retrieve a secret (password in body if protected) |
| GET | /api/secrets/:id/check |
Check if secret exists and requires password |
| POST | /api/files |
Upload a file |
| GET | /api/files/:id |
Download a file |
| GET | /api/instance/settings/public |
Get public instance settings |
| GET | /api/setup/status |
Check if initial setup is needed |
| POST | /api/setup/complete |
Complete initial setup |
Authenticated Endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/secrets |
List user's secrets |
| DELETE | /api/secrets/:id |
Delete a secret |
| GET | /api/account |
Get account info |
| PUT | /api/account |
Update account info |
| PUT | /api/account/password |
Update password |
| DELETE | /api/account |
Delete account |
| GET | /api/api-keys |
List API keys |
| POST | /api/api-keys |
Create API key |
| DELETE | /api/api-keys/:id |
Delete API key |
Admin Endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/instance/settings |
Get all instance settings |
| PUT | /api/instance/settings |
Update instance settings |
| GET | /api/analytics |
Get secret analytics |
| GET | /api/analytics/visitors/daily |
Get daily visitor stats |
| GET | /api/invites |
List invite codes |
| POST | /api/invites |
Create invite code |
| DELETE | /api/invites/:id |
Deactivate invite code |
| PUT | /api/user/:id |
Update user |
Example: Create a Secret
curl -X POST https://your-instance.com/api/secrets \
-H "Content-Type: application/json" \
-d '{
"secret": "BASE64_ENCRYPTED_CONTENT",
"salt": "ENCRYPTION_SALT",
"expiresAt": 3600,
"views": 1
}'
Response:
{
"id": "abc123xyz"
}
Important Notes
- Client-side encryption: All secret content should be encrypted client-side before sending to the API. The server only stores encrypted data.
- Decryption keys: Never send decryption keys to the server. They should be passed via URL fragments (
#key=...) which are not transmitted to the server. - Rate limiting: API requests may be rate-limited based on instance settings.