Authentication

​

API Keys

​

Getting Your API Key

1. Email our support team at [email protected]
2. Provide your use case and integration requirements
3. Receive your API key securely via email
4. Store your API key securely using environment variables

1. Log in to your Tiro Dashboard
2. Navigate to Settings > API Keys
3. Click “Create New API Key”
4. Copy your API key and store it securely

​

API Key Format

{id}.{secret}

• {id}: Short, URL-safe identifier
• {secret}: Random, secure secret string
• The server stores only a hash of the full key and cannot show the secret again

​

Making Authenticated Requests

curl -H "Authorization: Bearer $TIRO_API_KEY" \
     -H "Content-Type: application/json" \
     https://api.tiro.ooo/v1/external/notes

​

Authentication Errors

• Missing Authorization header
• Malformed key (must be {id}.{secret})
• Unknown key id
• Inactive, expired, or deleted key

{
  "error": {
    "code": "invalid_api_key",
    "message": "The API key provided is invalid",
    "type": "authentication_error"
  }
}

​

Security Best Practices

​

Environment Variables

# .env file (never commit this!)
TIRO_API_KEY=abc123.XYZ...

​

Additional Security Guidelines

• Rotate keys regularly: Delete unused keys and generate new ones
• Separate keys per environment: Use different keys for development and production
• Monitor usage: Track API key usage and rotate on anomalies
• Never log API keys: Ensure keys don’t appear in application logs
• Use HTTPS only: Always make requests over secure connections