Authentication & keys
Every Proxy API request authenticates with an API key, sent exactly like the Scrapers API — either header works:
http
X-API-Key: hpx_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# or
Authorization: Bearer hpx_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxScopes
Keys are scoped to a capability — a key can only do what its scopes allow, so a scraper key can never spend money.
| Scope | Grants |
|---|---|
scrape | The Scrapers API (/v1/scrape/…). The default for a new key. |
buy | The Proxy API (/v1/products, /v1/orders, /v1/plans/…). Required for everything in these docs. |
Create a Buy key in Settings → API Keys and pick the Buy capability. A key without the buy scope gets 403 on every Proxy API route.
Per-key spend cap
When you create a buy key you can set an optional daily spend cap — a hard ceiling on how much that one key can spend per rolling 24 hours, independent of (and below) your wallet balance.
Why cap a key
Set a cap on any key you embed in a script or hand to a service. Even if the key leaks, the most it can ever spend is the cap — then it's refused with 402 key_spend_cap_reached until the window rolls off. Containment, not just trust.Keep keys server-side, never in client code. Lost one? Revoke it in Settings → API Keys — it stops working immediately.
Was this helpful?