API Keys

remaining credit

Your live API key

One live key per account. Use it as Authorization: Bearer hbs_live_…
Loading…

Copy this key now — it won't be shown again

Store it in your secret manager. If you lose it, rotate the key from this page.

Account

These are the details you provided at signup.

Password

Use the password reset flow to change your password.

Video AI

Realtime video calling, recording, broadcasting, transcription, AI assistant in-call. Production-ready and live.
live Audio Video Recording Broadcast (HLS) Transcription AI Assistant E2E Encryption

Quick start

Pick your platform. Replace the placeholder key with the live key from the API Keys tab.

Endpoints

Base URL: Auth: Authorization: Bearer hbs_live_…

Webhooks

2stars delivers JSON payloads to your URL with HMAC-SHA256 in X-2stars-Signature (v1=hex(hmac(secret, ts + "." + body))). Subscribe to events like room.created, room.closed, participant.joined.
Loading...

Add webhook

VerifAI

Zero-knowledge device trust. Verify the device, not just the password.
Live numbers - pattern collections, verifications, blocks, recent events - are under Analytics → VerifAI.

Quick start

Same hbs_live_… key as Video AI. Drop the SDK in, two calls, you're done.
Base URL: https://api.2stars.io · auth: Authorization: Bearer hbs_live_…
POST/verifai/v1/registerDeviceRegister a new device on first loginpatterns
POST/verifai/v1/verifyDeviceVerify on subsequent loginsverification
POST/verifai/v1/registerTokenRegister FCM token for push approvalsverification
GET/verifai/v1/listDevicesList trusted devices for a user
GET/verifai/v1/getTrustScoreGet trust level + score
DELETE/verifai/v1/deleteDeviceRemove a trusted device
POST/verifai/v1/approveDeviceApprove a pending session from primaryverification
POST/verifai/v1/rejectDeviceReject a pending sessionverification

Same-network gate optional

When ON, approval pushes only fire if the new device shares a public IP with one of the user's trusted devices. Off-network attempts are auto-rejected silently and logged as different_network. Pick whichever fits your product.
When you turn it ON:
A friend / attacker trying to log in from their home WiFi gets REJECTED immediately - your user's phone never rings.
Off-network attempts are logged in your audit feed as different_network - useful fraud signal.
Trade-off: legit users on a new network (travelling, new ISP, mobile carrier) also get blocked unless they're near a trusted device.
Optional UX polish: differentiate the rejection reason in your app
If you turn the gate on and want a friendlier "blocked because you're on a different network" message instead of a generic block, branch on result.reason:
// Android
when (result.status) {
  Status.TRUSTED   -> allow()
  Status.REJECTED  -> when (result.reason) {
    "different_network" -> show("Login from a new network was blocked. Try again from your trusted WiFi.")
    else                  -> show("Login blocked.")
  }
  Status.NEW_DEVICE -> showApprovalPending(result.sessionId)
  else              -> retryOrError()
}

// Web
switch (result.status) {
  case 'TRUSTED':    allow(); break;
  case 'REJECTED':
    if (result.reason === 'different_network') showOffNetworkBlock();
    else showBlock();
    break;
  case 'NEW_DEVICE': showApprovalPending(result.sessionId); break;
}

Trust score always returned

Every /verifyDevice response carries trustScore (0–100) plus a scoreBreakdown object with one entry per axis that ran (device, behavioral, advanced, patterns, contacts). You decide what to do with it - block on login, require step-up auth on a transfer, log for fraud analysis. We just provide the signal.

Pattern groups

Each group bundles related behavioral signals. Turning a group OFF means the server ignores its incoming hashes on compare (the SDK keeps collecting so you can A/B). Default: all ON.
Loading…

Training cycle

Number of successful logins before the behavioral baseline locks. Higher = more lenient (impostor's signals might land inside the trained window). Lower = more aggressive.

Advanced patterns 30-day baseline

Compare every login to this device's history for the same day-of-week + hour bucket over the last 30 days. Catches anomalies like "user always banks on Sunday mornings, this Tuesday-3am attempt looks nothing like the bucket." Admin-gated.

Contact lock Android · admin-gated

The SDK reads the phone's contact list (with explicit READ_CONTACTS), salts + hashes each number, and uploads the set. The response carries contactOverlapPct against the stored baseline. The server never sees raw numbers. Threshold below labels the response status as match or mismatch; the actual block/flag decision is yours.
Analytics

Video AI

Daily usage

Vision AI
Image generation, image-to-image transforms, vision Q&A, OCR, and live face/object recognition — accessible from the same API key.
Realtime face / object detection on incoming video
Image generation & in-call AI backgrounds
OCR + structured extraction from photos
Vision Q&A on uploaded images
Request early access
AI Messaging
Conversational AI primitives — agents, tool-use, retrieval, WhatsApp / RCS / SMS / web chat fan-out — flat monthly pricing, no per-message cost.
Bring-your-own-LLM (Anthropic, OpenAI, Gemini)
WhatsApp Business + RCS + SMS fan-out
Built-in retrieval / vector store
Tool-use with your own functions
Request early access
Secure OTP
Email + SMS one-time passwords with built-in rate limiting, abuse detection, and zero-knowledge device fingerprinting.
SMS, email, and TOTP delivery
Per-IP / per-device rate limits + bot scoring
Verify a device, not a phone number
SOC 2 + GDPR compliant logging
Request early access