Authentication
API key format, security, and rate limits.
All API requests require a valid API key in the Authorization header:
Authorization: Bearer tr-abc123...
Getting an API key
- Sign in to your API Dashboard.
- Navigate to API Keys and click Create Key.
- Copy the key immediately — it is only shown once.
Key format
API keys start with tr- followed by 96 hex characters. Keys are hashed (SHA-256) before storage, so Tresor cannot recover a lost key. If you lose your key, revoke it and create a new one.
Security best practices
- Never commit API keys to source control.
- Use environment variables (e.g.
TRESOR_API_KEY) instead of hardcoding keys. - Rotate keys periodically and revoke any that may have been exposed.
Rate limits
Rate limits depend on your plan:
| Plan | Requests per minute |
|---|---|
| Developer | 60 |
| Enterprise | Custom |
Rate limit information is included in every response:
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests per window |
X-RateLimit-Remaining | Remaining requests in window |
Retry-After | Seconds to wait when rate limited (429) |
If you receive a 429 response, wait for the duration specified in Retry-After before retrying. See Error Codes for details.