Authentication
Bearer tokens, key rotation, and security best practices.
How it works
Every request must include an Authorization header with the Bearerscheme. Keys are issued from your dashboard and are tied to your account's credit balance and rate limits.
bash
Authorization: Bearer tk_live_xxxxxxxxxxxxxxxxxxxxKey format
Keys begin with the prefix tk_live_ followed by a 32-character random suffix. Only the prefix is stored on our side — the suffix is hashed at rest. This means if you lose a key, you must rotate it; we cannot recover it for you.
Rotation
You can have multiple active keys on the same account — useful when rotating without downtime:
- Create a new key in the dashboard.
- Deploy the new key to your services.
- Verify traffic is flowing on the new key (usage logs update in seconds).
- Revoke the old key.
Security tips
- Never embed keys in client-side code or public repositories.
- Store keys in environment variables or your secret manager.
- Use a separate key per environment (dev, staging, production).
- Rotate keys when an employee leaves or a key may have leaked.
401 vs 402
A 401 means the bearer token is missing, malformed, or revoked. A 402means the token is valid but you're out of credits or have no active plan — see the errors guide for the full payload shape.