All requests authenticate via an API key in the Authorization header:
Authorization: Bearer tr-...
API keys start with tr- followed by 96 hex characters. Keys are hashed (SHA-256) before storage, so we cannot recover a lost key. If you suspect a key has leaked, revoke it in the dashboard and create a new one — there is no rotation flow.
TRESOR_API_KEY).tresor-attest so a stolen key cannot be used against a tampered endpoint.Each plan ships with its own per-minute and per-day limits; the current values for your account are shown in the API Dashboard.
Every response includes the live limit headers:
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests in the current window. |
X-RateLimit-Remaining | Requests remaining in the current window. |
Retry-After | Seconds to wait before retrying after a 429. |
A 429 response means you should wait Retry-After seconds and retry. See Errors for the standard error envelope.