Authentication

The HASP AI API authenticates every request via an API key. No OAuth flow, no session cookies — just a Bearer token.

API key format

hasp_key_live_<32 Crockford base32 characters>

Keys are issued with the prefix hasp_key_live_ and are globally unique. The 32-character body uses the Crockford base32 alphabet (ambiguous lookalike characters 0, O, 1, l, I excluded). The full token is shown exactly once on creation. HASP stores only a SHA-256 hash — if you lose the token, revoke it and issue a new one.

Sending the token

Pass the key in the Authorization header on every request:

Authorization: Bearer hasp_key_live_your_key_here

Scopes

Every API key has one or more scopes. A request to a route protected by a scope the key does not have returns 403 MISSING_SCOPE.

Scope	Grants access to
`ai:chat`	`POST /v1/ai/chat`, `POST /v1/messages`
`ai:documents`	Document upload and retrieval endpoints
`ai:embeddings`	Embeddings endpoint
`ai:summarize`	Summarize endpoint
`control:read`	`GET /v1/api_keys`, `GET /v1/usage`, `GET /v1/usage/budget`, `PUT /v1/usage/budget`, `GET /v1/audit`
`control:webhooks`	`GET /v1/webhooks`, `POST /v1/webhooks`, `DELETE /v1/webhooks/{id}`

Assign only the scopes a key needs. A key used for chat-only integrations should carry only ai:chat.

Creating keys

Via the dashboard: Settings → API Keys → New Key. Via the API (requires a key with control:read):

curl -X POST https://api.usehasp.com/v1/api_keys \
  -H "Authorization: Bearer hasp_key_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "production-chat-service",
    "scopes": ["ai:chat"]
  }'

See Control: API Keys for the full endpoint reference.

BAA requirement

All requests additionally require an active Business Associate Agreement (BAA) on your organization. If your org has no active BAA, every request — regardless of key validity — returns:

{
  "success": false,
  "error": {
    "code": "BAA_REQUIRED",
    "type": "payment_required",
    "message": "An active Business Associate Agreement is required to use the AI API.",
    "retryable": false,
    "request_id": "req_..."
  }
}

Sign the BAA in Settings → Compliance → Business Associate Agreement.

Error responses

Code	HTTP	Meaning
`INVALID_API_KEY`	401	Token not found, malformed, or revoked
`BAA_REQUIRED`	402	No active BAA on the org
`MISSING_SCOPE`	403	Key exists but lacks the required scope

​API key format

​Sending the token

​Scopes

​Creating keys

​BAA requirement

​Error responses