Skip to main content

API Keys

The Tiro API uses API keys for authentication. All API requests must include a valid API key in the Authorization header using the Bearer token format.

Getting Your API Key

Get your API key from the Tiro Platform:
  1. Go to platform.tiro.ooo and sign in
  2. Navigate to API Keys
  3. Click Create New API Key
  4. Copy your API key and store it securely
Keep your API keys secure and never expose them in client-side code. API keys should only be used in server-side applications.

API Key Format

Tiro API keys follow this format: 
{id}.{secret}
  • {id}: Short, URL-safe identifier
  • {secret}: Random, secure secret string
  • The server stores only a hash of the full key and cannot show the secret again

Making Authenticated Requests

Include your API key in the Authorization header of every request: 
curl -H "Authorization: Bearer $TIRO_API_KEY" \
     -H "Content-Type: application/json" \
     https://api.tiro.ooo/v1/external/notes

Authentication Errors

If authentication fails, you’ll receive a 401 Unauthorized response. Common reasons include:
  • Missing Authorization header
  • Malformed key (must be {id}.{secret})
  • Unknown key id
  • Inactive, expired, or deleted key
{
  "error": {
    "code": "invalid_api_key",
    "message": "The API key provided is invalid",
    "type": "authentication_error"
  }
}

Security Best Practices

Environment Variables

Store API keys securely using environment variables: 
# .env file (never commit this!)
TIRO_API_KEY=abc123.XYZ...

Additional Security Guidelines

  • Rotate keys regularly: Delete unused keys and generate new ones
  • Separate keys per environment: Use different keys for development and production
  • Monitor usage: Track API key usage and rotate on anomalies
  • Never log API keys: Ensure keys don’t appear in application logs
  • Use HTTPS only: Always make requests over secure connections