Access Tokens
All API requests must include an access token in the Authorization header using the Bearer scheme.
curl -X GET "https://costhawk.ai/api/mcp/usage/summary" \
-H "Authorization: Bearer ch_sk_your_token_here" \
-H "Content-Type: application/json"
Getting a Token
- Log into your CostHawk dashboard
- Go to Settings → Developer
- Click Create Token
- Copy the token (displayed only once)
CostHawk tokens are prefixed with ch_sk_ followed by a unique identifier:
ch_sk_XFDmvHtmzmwpbuh_JGnC9LTnkErUnB99aARwbPyo5-A
Error Responses
401 Unauthorized
No token provided or token is invalid:
{
"error": "No API key provided. You must first sign up at https://costhawk.ai to get an API key."
}
403 Forbidden
Token doesn’t have permission for this resource:
{
"error": "Insufficient permissions for this resource"
}
Security Best Practices
Never expose your access token in client-side code, public repositories, or logs.
- Store tokens in environment variables
- Use different tokens for dev/staging/production
- Rotate tokens periodically
- Revoke unused tokens immediately
