Authentication

API key format, headers, and security guidance.

All requests authenticate via an API key in the Authorization header:

Authorization: Bearer tr-...

Getting an API key

  1. Sign in at tresor.co.
  2. Open API Dashboard → API Keys and click Create Key.
  3. Copy the key immediately — it is only shown once.

Key format

API keys start with tr- followed by 96 hex characters. Keys are hashed (SHA-256) before storage, so we cannot recover a lost key. If you suspect a key has leaked, revoke it in the dashboard and create a new one — there is no rotation flow.

Security guidance

  • Never commit API keys to source control. Use environment variables (e.g. TRESOR_API_KEY).
  • Treat each key as a deployment-scoped credential — one per service, not one per organisation.
  • Revoke keys immediately if a host they were deployed to is suspected to have been compromised.
  • For zero-trust deployments, pair the API key with tresor-attest so a stolen key cannot be used against a tampered endpoint.

Rate limits

Each plan ships with its own per-minute and per-day limits; the current values for your account are shown in the API Dashboard.

Every response includes the live limit headers:

HeaderDescription
X-RateLimit-LimitMaximum requests in the current window.
X-RateLimit-RemainingRequests remaining in the current window.
Retry-AfterSeconds to wait before retrying after a 429.

A 429 response means you should wait Retry-After seconds and retry. See Errors for the standard error envelope.