The HAT is an API-only service, meaning it does not enforce a specific Application or User Interface to expose the data to the user. Instead, authentication happens using the HAT APIs and the Javascript Web Token (JWT). Each HAT runs as a separate server and has a publicly-reachable address (such as All calls in this documentation are therefore executed against an individual HAT. The same login mechanism is used across all applications in the ecosystem, including:

The list goes on, but importantly the HAT differentiates services into two kinds: approved and generic:

  • approved ones have been configured with a HAT and may have special permissions such as accessing HAT data (such as Rumpel) or entering new data (Data Plugs)
  • generic services that only need to validate that the individual owns a specific HAT.

The steps in logging in with a HAT are:

  1. You send the user to /hatlogin endpoint on their hat, such as
  2. The HAT owner enters their login details in the login screen and verifies the service they are logging into
  3. User gets redirected back to the address you have provided with authentication token in a query parameter. You validate the token against the HAT’s public key and know that the user owns the specific HAT and log them in