Skip to main content
Every request to the Off the Hook API must include your API key in the Authorization header. The API uses standard Bearer token authentication — there are no sessions, cookies, or OAuth flows to manage.

Header format

Include your API key on every request to a /v1/* endpoint: 
Authorization: Bearer oth_YOUR_API_KEY
API keys are always prefixed with oth_. Here is a complete curl example: 
curl https://api.offthehook.dev/v1/subscriptions \
  -H "Authorization: Bearer oth_YOUR_API_KEY"
Store your API key in an environment variable and reference it in your code and scripts rather than hardcoding it. For example: export OTH_API_KEY=oth_... and then -H "Authorization: Bearer $OTH_API_KEY". Never commit an API key to source control.

Error responses

If the Authorization header is missing, malformed, or contains an invalid key, the API returns a 401 Unauthorized response: 
{
  "error": "unauthorized",
  "message": "invalid API key",
  "requestId": "..."
}
The error field is a stable string code you can branch on in your error handling logic. The message field is a human-readable description intended for debugging.
Every error response includes a requestId field. The same value is also present in the X-Request-Id response header on every API response, including successful ones. If you contact support about an unexpected error, include the requestId so the team can locate the request in the logs.