HacklessHackless Docs
API

Authentication

How Hackless public API authentication works.

Hackless public routes can resolve two forms of authentication:

MCP/API key

Use an MCP API key generated inside Hackless settings.

Authorization: Bearer hk_your_api_key

or:

X-API-Key: hk_your_api_key

API keys are hashed before storage. The platform stores the key prefix for display and lookup metadata, while requests are verified by hashing the presented secret.

Browser session

When the API is called from the Hackless web app, the same request context can use the active NextAuth session cookie.

Which endpoints require auth?

EndpointAuth
GET /api/public/healthNo
GET /api/public/challengesOptional
GET /api/public/challenges/{slug}Optional
GET /api/public/leaderboardNo
GET /api/public/profiles/{userId}No
GET /api/public/meYes
POST /api/public/challenges/{slug}/submitYes
GET /api/public/challenges/{slug}/writeupsYes and challenge must be solved

Public REST API

OpenAPI-backed documentation for Hackless routes under /api/public.

TypeScript SDK

Use hackless-sdk to call the Hackless public API from TypeScript.