API keys and webhook signatures power secure access to Cancel Hansel booking protection, policy evaluation, and evidence packet APIs.
Partners request API keys for server-side integration, rotate keys periodically, and revoke keys when they are no longer required. Each key should be stored securely, managed by operations teams, and scoped to the integration purpose.
Store API keys in secure vaults or configuration stores and never embed them in browser code, mobile apps, or client-side scripts. Treat API keys as confidential credentials for system-to-system access.
curl -X GET https://api.cancelhansel.com/v1/health \
-H "x-api-key: YOUR_API_KEY"Valid authenticated request example:
GET /v1/bookings/booking_789/webhook-events HTTP/1.1
Host: api.cancelhansel.com
x-api-key: YOUR_API_KEYExample failed auth response:
401 {
"error": "Unauthorized",
"message": "Missing or invalid x-api-key"
}Cancel Hansel signs webhooks with x-cancel-hansel-signature. Partners should verify this signature before trusting payload contents, and should reject events when signature validation fails.
This practice helps preserve evidence integrity and reduces risk when processing booking lifecycle events.
API keys are used for partner requests. Webhook signatures are used for inbound event verification. Both safeguards are essential for reliable evidence infrastructure and operational accountability.