Authentication
Every request must carry your API key in one of two headers:
Authorization: Bearer tvty_YOUR_KEY_HEREor, for clients that cannot set Authorization:
X-API-Key: tvty_YOUR_KEY_HEREKeys passed via query string are rejected — they leak into proxy access logs.
Authentication failures return HTTP 401 with one of these error codes:
| Code | Reason |
|---|---|
unauthorized | Missing, malformed, or invalid key |
key_revoked | Key was explicitly revoked in settings |
key_expired | Key reached its expires_at date |
Key storage
Keys are stored as a SHA-256 hash on our servers — we cannot show you the plaintext after you create the key. Lose it and you have to revoke and create a new one. Pre-existing keys created before 2026-05 are still valid but cannot be displayed in full anymore.
Multiple keys per account
You can have up to 25 active keys at a time. Each key has its own name, scopes, and rate-limit window. Use separate keys per integration (e.g. one for your AI agent, one for a mobile script, one for backups) so you can revoke them independently if anything leaks.
Next: Scopes.