Skip to main content
The Theo API is a RESTful JSON API served at https://www.hitheo.ai/api/v1/. All endpoints require authentication via Bearer token except /health.

Base URL

Always call the www host directly. The apex hitheo.ai 307-redirects to www.hitheo.ai, and most HTTP clients strip the Authorization header on 3xx responses — the redirected request arrives unauthenticated and the server returns 401. The SDK defaults to https://www.hitheo.ai as of @hitheo/sdk@0.2.0. If you hit an unexpected 401, see 401 Troubleshooting.

Authentication

All requests must include your API key in the Authorization header:
See Authentication for details.

OpenAPI Spec

The full OpenAPI 3.1 specification is available at:
You can import this into Postman, Insomnia, or any OpenAPI-compatible tool.

Endpoints at a Glance

Response Format

All responses follow a consistent JSON structure:
Every response also carries an X-Request-Id header; successful JSON responses surface the same value as a top-level request_id field. Include it in support tickets so the request can be looked up in logs.

Idempotency Keys

POST requests to state-changing endpoints (create canvas, create workflow, run workflow, submit skill, create webhook, install hook, publish event, create iframe, duplicate iframe, start browser session, install skill) accept an Idempotency-Key header:
  • Responses are cached for 24 hours per (user, key). Retried requests with the same key return the original response body with X-Idempotent-Replay: true.
  • The key is at most 256 characters and must match [A-Za-z0-9\-_.:]+. Use a UUID, ULID, or your own deterministic request id.
  • Two concurrent requests with the same key resolve to 409 idempotency_conflict on the second caller — retry shortly.
  • Idempotency is scoped per user, so keys can’t collide across tenants.

Errors

Errors return a structured JSON body: