H2GC API

The H2GC Data API uses API key authentication. There is no OAuth flow, no dashboard login, and no self-registration — access is managed by the H2GC team.

How it works

  1. A member of the H2GC team creates an invite and sends the link to the client
  2. The client claims the invite, which generates a long-lived API key
  3. The API key is included in every request via the x-api-key header
curl -H "x-api-key: sk_live_a1b2c3d4e5f6g7h8..." \
  "https://portal.h2gc.com/api/v1/financials?metric=ggr_annual&country=United+Kingdom"

API key format

Keys follow the format sk_live_ followed by a random string:

sk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4

The key prefix (sk_live_a1b2c3d4) serves as an identifier in administrative operations and logs. The full key is only displayed once at creation time.

Security

  • Keys are hashed (SHA-256) before storage — the plaintext key exists only at claim time
  • Keys are scoped to an organisation — each key provides access only to the data its organisation is entitled to
  • Keys can be revoked instantly by an administrator, taking effect on all subsequent requests
  • Keys should always be transmitted over HTTPS — they must not be included in URLs, logs, or client-side code

Key lifecycle

StateDescription
ActiveThe key is valid and can be used for API requests
RevokedThe key has been permanently disabled by an administrator

There is no key expiry — keys remain active until explicitly revoked.

Error responses

StatusMeaning
401 UnauthorisedThe API key is missing or invalid
403 ForbiddenThe key is valid but lacks permission for the requested operation

Quickstart

From invite to first API call in under 5 minutes

Available datasets

Dataset catalogue, dimensions, and metrics

On this page

How it worksAPI key formatSecurityKey lifecycleError responses