Every request to the Heymarket API must be authenticated. Heymarket supports three authentication methods: a Bearer token, HTTP Basic Auth, and a signed JWT. All three rely on credentials you generate in the Heymarket app.
Get your API key
Log in to Heymarket and navigate to Settings → Integrations. Your team API key is listed there. Copy it — you’ll use it in every request.
Never expose your API key in client-side code, browser JavaScript, or public repositories. Anyone with your key can make API calls on behalf of your team.
Authentication methods
Bearer token
HTTP Basic Auth
JWT (ApiKeyAuth)
Pass your API key as a Bearer token in the Authorization header. This is the simplest and most common method.curl https://api.heymarket.com/v1/contacts \
-H "Authorization: Bearer YOUR_API_KEY"
YOUR_API_KEY with the key you copied from Settings → Integrations. Use your API key as the username with no password. Most HTTP clients that support Basic Auth let you leave the password field blank.curl https://api.heymarket.com/v1/contacts \
-u "YOUR_API_KEY:"
Generate a short-lived signed JWT from your API Secret ID and API Secret Key. These are separate from your team API key. Retrieve them from Settings → Integrations alongside your team key.Build the JWT header
Set the algorithm to HS256 and the type to JWT.{
"alg": "HS256",
"typ": "JWT"
}
Build the JWT payload
Set iss to your API Secret ID and iat to the current Unix timestamp (seconds since epoch).{
"iss": "YOUR_API_SECRET_ID",
"iat": 1713225600
}
Construct the signing secret
Concatenate your API Secret ID and API Secret Key with the || delimiter:YOUR_API_SECRET_ID||YOUR_API_SECRET_KEY
74f80a77-9b3f-44ac-b3ad-ab68cfb548fa and your secret key is cPQku7lnSLbnK88UFOBg1a6Q3t1w1RgK, the combined secret is:74f80a77-9b3f-44ac-b3ad-ab68cfb548fa||cPQku7lnSLbnK88UFOBg1a6Q3t1w1RgK
Sign the token and send the request
Sign the JWT with HMAC-SHA256 using the combined secret from the previous step. Pass the resulting token as a Bearer token.curl https://api.heymarket.com/v1/contacts \
-H "Authorization: Bearer YOUR_SIGNED_JWT"
iat timestamp. Regenerate the token before it expires to maintain uninterrupted access. Request IDs
Every API response includes an X-Request-Id header. Record this value when you encounter an error — the Heymarket support team uses it to look up the specific request in our logs.
X-Request-Id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
Rotating your API key
To roll (rotate) your team API key, visit the Heymarket integrations page. Rotating the key immediately invalidates the previous key, so update all integrations before rotating in a production environment. 