API Documentation

December 4, 2025 ยท View on GitHub

Hemmelig provides a REST API for programmatic access to secret sharing functionality.

Interactive Documentation

The API is documented using OpenAPI 3.0 specification with an interactive Swagger UI:

  • Swagger UI: /api/docs - Interactive API explorer
  • OpenAPI Spec: /api/openapi.json - Raw OpenAPI specification

Authentication

Session Authentication

For browser-based access, authenticate through the /auth endpoints provided by better-auth. Session cookies are automatically managed.

API Key Authentication

For programmatic access, create an API key in your account settings under the Developer tab.

Use the API key as a Bearer token in the Authorization header:

curl -H "Authorization: Bearer hemmelig_your_api_key_here" \
  https://your-instance.com/api/secrets

Important:

  • API keys are shown only once upon creation - store them securely
  • Maximum 5 API keys per user
  • Keys can optionally expire after 30, 90, or 365 days
  • Revoke compromised keys immediately from your account settings

For endpoints requiring admin access, the authenticated user must have the admin role.

Quick Reference

Public Endpoints

MethodEndpointDescription
GET/api/healthzHealth check
POST/api/secretsCreate a new secret
POST/api/secrets/:idRetrieve a secret (password in body if protected)
GET/api/secrets/:id/checkCheck if secret exists and requires password
POST/api/filesUpload a file
GET/api/files/:idDownload a file
GET/api/instance/settings/publicGet public instance settings
GET/api/setup/statusCheck if initial setup is needed
POST/api/setup/completeComplete initial setup

Authenticated Endpoints

MethodEndpointDescription
GET/api/secretsList user's secrets
DELETE/api/secrets/:idDelete a secret
GET/api/accountGet account info
PUT/api/accountUpdate account info
PUT/api/account/passwordUpdate password
DELETE/api/accountDelete account
GET/api/api-keysList API keys
POST/api/api-keysCreate API key
DELETE/api/api-keys/:idDelete API key

Admin Endpoints

MethodEndpointDescription
GET/api/instance/settingsGet all instance settings
PUT/api/instance/settingsUpdate instance settings
GET/api/analyticsGet secret analytics
GET/api/analytics/visitors/dailyGet daily visitor stats
GET/api/invitesList invite codes
POST/api/invitesCreate invite code
DELETE/api/invites/:idDeactivate invite code
PUT/api/user/:idUpdate user

Example: Create a Secret

curl -X POST https://your-instance.com/api/secrets \
  -H "Content-Type: application/json" \
  -d '{
    "secret": "BASE64_ENCRYPTED_CONTENT",
    "salt": "ENCRYPTION_SALT",
    "expiresAt": 3600,
    "views": 1
  }'

Response:

{
    "id": "abc123xyz"
}

Important Notes

  • Client-side encryption: All secret content should be encrypted client-side before sending to the API. The server only stores encrypted data.
  • Decryption keys: Never send decryption keys to the server. They should be passed via URL fragments (#key=...) which are not transmitted to the server.
  • Rate limiting: API requests may be rate-limited based on instance settings.