Skip to main content

Documentation Index

Fetch the complete documentation index at: https://api-docs.tiro.ooo/llms.txt

Use this file to discover all available pages before exploring further.

API Keys

The Tiro API uses API keys for authentication. All API requests must include a valid API key in the Authorization header using the Bearer token format.

Getting Your API Key

Get your API key from the Tiro Platform dashboard:
  1. Go to platform.tiro.ooo/dashboard/api-keys and sign in
  2. Click Create New API Key
  3. Copy your API key and store it securely
Keep your API keys secure and never expose them in client-side code. API keys should only be used in server-side applications.

API Key Format

Tiro API keys follow this format: 
{id}.{secret}
For example: abc123.xR7mK9pL2qW4...
PartExampleDescription
Key ID ({id})abc123Visible in Platform dashboard. Used to identify which key is making requests.
Secret ({secret})xR7mK9pL2qW4...Shown only once at creation. The server stores only a hash — it cannot be recovered.
Full API Keyabc123.xR7mK9pL2qW4...The entire string including the dot. This is what you use as the Bearer token.
Common mistake: Do not use just the Key ID (abc123) as your Bearer token. You must use the full key (abc123.xR7mK9pL2qW4...) — the complete string shown when the key was created.

Making Authenticated Requests

Include your API key in the Authorization header of every request: 
curl -H "Authorization: Bearer $TIRO_API_KEY" \
     -H "Content-Type: application/json" \
     https://api.tiro.ooo/v1/external/notes

Authentication Errors

If authentication fails, you’ll receive a 401 Unauthorized response. Common reasons include:
  • Missing Authorization header
  • Malformed key (must be {id}.{secret})
  • Unknown key id
  • Inactive, expired, or deleted key
{
  "error": {
    "code": "invalid_api_key",
    "message": "The API key provided is invalid",
    "type": "authentication_error"
  }
}

Security Best Practices

Environment Variables

Store API keys securely using environment variables: 
# .env file (never commit this!)
TIRO_API_KEY=abc123.XYZ...

Additional Security Guidelines

  • Rotate keys regularly: Delete unused keys and generate new ones
  • Separate keys per environment: Use different keys for development and production
  • Monitor usage: Track API key usage and rotate on anomalies
  • Never log API keys: Ensure keys don’t appear in application logs
  • Use HTTPS only: Always make requests over secure connections