Skip to main content
Every request to the HackGATE API must include a valid token in the Authorization header using the Bearer scheme: 
Authorization: Bearer <token>
The API supports two token types and automatically detects which one you are using based on the token format.

Token types

Clerk JWT (prefix: eyJ...) — A short-lived JWT issued by your Admin Center browser session. Use this for interactive access, ad-hoc requests from your terminal, or testing. Organization API key (prefix: ak_live_...) — A long-lived token scoped to your organization. Use this for CI/CD pipelines, automation scripts, and any non-interactive workflow where a browser session is not available. Generate API keys in the Admin Center under Settings > API Keys.

Request examples

Retrieve your JWT from the Admin Center session (available in your browser’s local storage or via the Clerk SDK). Pass it as a Bearer token:
curl https://api-admin.hackgate.io/api/sites \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9..."
Clerk JWTs expire with your session. If you receive a 401, sign in again at admin.hackgate.io to get a fresh token.

Common errors

ErrorCause
401 Unauthorized: "Missing organization context."Your token does not carry an org ID. Make sure you are using an org-scoped token — either a Clerk JWT from an active org session or an API key generated under the correct organization.
401 Unauthorized (generic)Your token is expired, invalid, revoked, or missing from the request.
Never expose your API keys in client-side code, public repositories, or anywhere that could be accessed by unauthorized parties. Treat your ak_live_ key like a password. If a key is compromised, revoke it immediately in Settings > API Keys and generate a new one.