Creating an API key
- Log in to secure.hsverify.com
- Go to Settings → API Keys
- Click Create API Key, give it a name (e.g.
production, staging)
- Copy the key immediately — it is shown only once
Keys look like: hs_live_xxxxxxxxxxxxxxxxxxxxxxxx
Using your key
Pass your API key as a Bearer token in every request:
Authorization: Bearer hs_live_xxxxxxxxxxxxxxxxxxxxxxxx
import os, requests
HEADERS = {"Authorization": f"Bearer {os.environ['HS_API_KEY']}"}
response = requests.post(
"https://app.jobsbyhumans.com/api/v1/analyze",
headers=HEADERS,
json={"url": "https://cdn.example.com/track.mp3"}
)
Never expose your API key in client-side code, browser environments, or public repositories. Use environment variables or a secrets manager.
Managing keys
- Rotate: Create a new key, update your services, then delete the old one
- Revoke immediately: Delete a key from the dashboard if it’s compromised — it stops working instantly
- Multiple keys: Create separate keys per environment (
production, staging) or per service for easier auditing
Webhook signatures
When you configure a webhook URL on a job, HumanStandard signs each outbound request with your organization’s webhook secret. Verify this to ensure the payload came from us:
import hmac, hashlib
def verify_webhook(payload_bytes: bytes, signature_header: str, secret: str) -> bool:
expected = hmac.new(
secret.encode(),
payload_bytes,
hashlib.sha256
).hexdigest()
return hmac.compare_digest(f"sha256={expected}", signature_header)
import crypto from "crypto";
function verifyWebhook(
payload: Buffer,
signatureHeader: string,
secret: string
): boolean {
const expected = `sha256=${crypto
.createHmac("sha256", secret)
.update(payload)
.digest("hex")}`;
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(signatureHeader)
);
}
X-HS-Signature header.
