Hyfa API Overview
The Hyfa API exposes identity, attestation, discovery, and payment operations for the Hyfa protocol. All endpoints are served from a single base URL.
Base URL
All API requests are made to:
https://api.hyfa.idAuthentication
Hyfa uses a two-tier authentication model. Public read endpoints require no
credentials. Dashboard and write endpoints require an API key issued to your
organization when you register a did:hyfa identity.
Pass your API key in the Authorization header:
Authorization: Bearer hyfa_key_<your_api_key>Versioning
All endpoints are prefixed with /api/v1. The current version is
v1. Breaking changes will increment the version prefix.
Response format
All responses are JSON. Successful responses return HTTP 200 with a
JSON body. Errors return an appropriate 4xx or 5xx status with a structured error object:
{
"error": {
"code": "AGENT_NOT_FOUND",
"message": "No agent registered with the provided DID.",
"request_id": "req_01hx..."
}
}Rate limits
Public endpoints: 60 requests / minute per IP.
Authenticated endpoints: 300 requests / minute per API key.
Responses include X-RateLimit-Remaining and X-RateLimit-Reset headers.
Worked example — GET /api/v1/status
The status endpoint is a good first call to verify connectivity and check the active network. It requires no authentication.
This endpoint also serves as the reference template for all endpoint entries in B.2 / B.3 / B.4 — every section that follows this pattern (header, description, auth note, request, response, errors).
Returns the current health status of the Hyfa API, the active network, and the deployed API version. Use this to confirm connectivity before making authenticated calls.
Request
No request body or query parameters.
curl https://api.hyfa.id/api/v1/statusSuccess response — 200 OK
{
"status": "ok",
"version": "1.0.0",
"network": "testnet",
"timestamp": "2026-03-24T12:00:00Z"
}Response fields
| Field | Type | Description |
|---|---|---|
| status | string | "ok" when the API is healthy. "degraded" if some services are impaired. |
| version | string | Deployed API version string. |
| network | string | "testnet" or "mainnet". Indicates which Hedera network this instance is connected to. |
| timestamp | string (ISO 8601) | Server time at the moment the request was processed. |
Error responses
| 503 | SERVICE_UNAVAILABLE | The API is temporarily unavailable. Retry with exponential back-off. |
Template guide for B.2 / B.3 / B.4
The endpoint block above is the standard format for every endpoint entry across
the API reference sections. Copy the HTML structure from the
.endpoint div and fill in:
- Method badge — use class
method-get,method-post,method-put, ormethod-del - Path — full path including
/api/v1/prefix - Auth note — use
.doc-noteblock; state public vs. API key required - Request body table —
.params-table; mark required fields with.required-badge - curl example — real, copy-pasteable example using testnet values
- Success response — actual JSON shape with field descriptions
- Error table — all meaningful 4xx/5xx codes the endpoint can return
API sections
Verification
Resolve DIDs, fetch attestation bundles, check trust scores, verify proofs.
Attestation
Request attestations, submit evaluations, manage lifecycle state.
Discovery
Query the agent marketplace and HCS-2 registry data.
Dashboard
Manage org identity, agents, attestor settings, and receipts.