H2GC API

The H2GC Data API uses API key authentication. There is no OAuth flow, no dashboard login, and no self-registration — access is managed by the H2GC team.

How it works

  1. A member of the H2GC team creates an invite and sends the link to the client
  2. The client claims the invite, which generates a long-lived API key
  3. The API key is included in every request via the x-api-key header
curl -H "x-api-key: sk_live_a1b2c3d4e5f6g7h8..." \
  "https://api.beta.h2gc.com/v1/financials?metric=ggr&granularity=annual&country=United+Kingdom"

API key format

Keys follow the format sk_live_ followed by a random string:

sk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4

The key prefix (sk_live_a1b2c3d4) serves as an identifier in administrative operations and logs. The full key is only displayed once at creation time.

Security

  • Keys are hashed (SHA-256) before storage — the plaintext key exists only at claim time
  • Keys are linked to an organisation — each key records which organisation it was issued to
  • Keys can be revoked instantly by an administrator, taking effect on all subsequent requests
  • Keys should always be transmitted over HTTPS — they must not be included in URLs, logs, or client-side code

Key lifecycle

StateDescription
ActiveThe key is valid and can be used for API requests
RevokedThe key has been permanently disabled by an administrator

There is no key expiry — keys remain active until explicitly revoked.

Error responses

StatusMeaning
401 UnauthorisedThe API key is missing, invalid, or revoked

Quickstart

From invite to first API call in under 5 minutes

Available datasets

Dataset catalogue, dimensions, and metrics

On this page

How it worksAPI key formatSecurityKey lifecycleError responses