Authentication | StudyHQ

The StudyHQ Partner API uses token-based authentication. Every API request must include a valid access token in the request header.

Access Tokens

Tokens are issued per project (college) during onboarding. Each token is a pair of credentials:

Credential	Description
`TokenId`	Public identifier for the token
`TokenSecret`	Secret value used to authenticate — shown only once at creation

The TokenSecret is displayed only once when the token is created. Store it securely. If lost, the token must be regenerated.

Sending the Token

Include the token in every request using the X-Access-Token header, formatted as TokenId:TokenSecret:

$ X-Access-Token: <TokenId>:<TokenSecret>

Required Headers

Header	Value
`X-Access-Token`	`<TokenId>:<TokenSecret>`
`Content-Type`	`application/json`
`Accept`	`application/json`

Example Request

$ curl -X POST https://api.studyhq.com/partner/get-redirect-url \
>   -H "Content-Type: application/json" \
>   -H "X-Access-Token: tok_abc123:secret_xyz789" \
>   -d '{
>     "projectId": "L4ndb5PYxM",
>     "name": "Student name",
>     "email": "student@gmail.com",
>     "mobile": "9876543210"
>   }'

Token Lifecycle

Event	Behavior
Token created	Secret is shown once — copy it immediately
Secret lost	Token must be deleted and regenerated
Token revoked	All requests using that token will fail with `401`
Token scope	Restricted to a single project (college)

Security Best Practices

Never expose the X-Access-Token header in client-side code or browser requests
Do not log raw request headers in your application
Rotate tokens periodically or immediately if compromised
Contact support@studyhq.com for token revocation or rotation assistance