All requests to the Hey Chocolate API require authentication via an API key passed in the X-API-Key header.
Obtaining an API key
- Log in to the Hey Chocolate Dashboard
- Navigate to Settings > API Keys
- Click Create API Key and give it a descriptive name
- Copy the key immediately — it will only be shown once
Store your API key securely. Never commit it to version control or expose it in client-side code.
Using your API key
Include the X-API-Key header in every request:
curl -X POST https://api.heychocolate.com/graphql \
-H "Content-Type: application/json" \
-H "X-API-Key: sk_live_abc123def456" \
-d '{"query": "{ me { id name tier } }"}'
Environments
| Environment | Base URL | Purpose |
|---|
| Production | https://api.heychocolate.com/graphql | Live data and production workloads |
| Sandbox | https://sandbox.heychocolate.com/graphql | Testing and development with mock data |
sk_sandbox_, production keys with sk_live_.
API key tiers
Your API key is associated with a tier that determines rate limits and available features:
| Tier | Requests/min | Features |
|---|
| Free | 60 | Core queries, basic calculations |
| Growth | 600 | All calculations, scenarios, equivalencies |
| Enterprise | 6,000+ | Full access including DPP generation, asset rendering, webhooks |
Key rotation
You can rotate API keys from the Dashboard without downtime:
- Create a new key
- Update your application to use the new key
- Verify requests succeed with the new key
- Revoke the old key
Webhook authentication
When receiving webhooks from Hey Chocolate, verify the signature in the X-HC-Signature header using your webhook secret. See Webhooks for details. 
