overhide.io blog
— effortless login — from social to wallet — for your Web project
— authorize extras with hassle-free "in-app-purchases" (IAPs) in dollars and cryptos
— back-end code optional and front-end only OK... write minimal code once but support dollars and coins
— as unliable as possible — no custody of user data for logins and purchases
21 Mar 2021
by Jakub Ner

Access Tokens

Up until now the overhide APIs did not require authorization tokens, they were merely protected (from abuse) via throttling.

This was in the spirit of putting up as few barriers as possible to Ledger Based Authorizations.

Going forward; however, to reign in potential abuses of the APIs, all of the APIs will now be accessed by authorizing with a token: an HTTP authorization header of the form:

Authorization: Bearer <token>

The ledgers.js library — that abstracts the APIs for in-browser “login” use — will also support provision of a token.

Getting Tokens

It’s a very simple process to get tokens. A process that continues to remain anonymous and hassle free.

Simply register for a developer API key at https://token.overhide.io/register. “Register” is a strong word here. You don’t provide any information other than wait for a reCAPTCHA (I guess you do provide some usage information to Google).

The obtained API key is meant to sit in your application’s back-end and be used to issue tokens to your users.

When obtaining an API key, ensure to obtain one for the right overhide environment.

Your back-end should use your API key to retrieve tokens via GET /token (see token APIs) upon request.

The token should be used with your back-end calls to the renumeration APIs as a Authorization header with the Bearer <token> value.

The token should be forwarded to your front-end UX for use in ledgers.js.

The token should be used with your front-end UX components by enabling the oh$ ledgers.js global instance with oh$.enable(token) (see the library for details and examples).

The token expires and should be refreshed every so often (hours).


Neither the API key nor the token retrieved with the key are authenticated secrets. These are authorizing claims for use of the overhide.io systems. They’re used to allow the system to revoke session or — if necessary — application access to the system, in case of detected abuse.

If your API key or token abuses our services — abusive amount of calls — it will get blacklisted.

If the token stops working, subsequent sessions will continue to work.

If the API key stops working, your back-end will fail to retrieve tokens.

If this happens, you will need to re-generate API keys — and rethink their use in your app.

You can reach out on reddit.

We will not tell you when your API key is revoked: we don’t collect your contact information.