Tenzro CloudDocs

API Keys

Manage API keys for authenticating with Tenzro Cloud services. Create keys with specific permissions and track usage.

Key Types

TypePrefixUse Case
Developmentdev_Local development, testing
Productionprod_Production applications
Clientclient_Browser-safe, rate-limited

Creating an API Key

  1. Go to your project in the Console
  2. Navigate to Settings → API Keys from the sidebar
  3. Click the Create New Key button
  4. Configure the key settings:
    • Name: Descriptive name for identification (e.g., "Production API", "Dev Environment")
    • Type: Development, Production, or Client
    • Permissions: Select which services this key can access
    • Expiration: Optional expiration date for enhanced security
  5. Click Create Key
  6. Important: Copy the key immediately - it will only be shown once for security

Store your API key securely in environment variables or a secrets manager. Never commit API keys to version control or expose them in client-side code.

Key Permissions

Configure granular permissions for each key:

Permissions:
├── Vec (Vector Database)
│   ├── Read
│   ├── Write
│   └── Delete
├── Kev (Key-Value Store)
│   ├── Read
│   ├── Write
│   └── Delete
├── Data (SQL Database)
│   ├── Read
│   ├── Write
│   └── Admin
├── AI Services
│   ├── Inference
│   ├── Agents
│   └── Workflows
├── File Storage
│   ├── Read
│   ├── Write
│   └── Delete
└── Admin
    ├── Manage Keys
    └── View Usage

Using API Keys

Environment Variables

Store your API key in environment variables for secure access:

# .env file (local development)
TENZRO_API_KEY=dev_your_api_key_here


# For production, use your hosting platform's secrets manager:
# - Vercel: Environment Variables in project settings
# - AWS: Secrets Manager or Parameter Store
# - Google Cloud: Secret Manager
# - Azure: Key Vault

TypeScript/JavaScript SDK

import { Tenzro } from '@tenzro/cloud';


// Using environment variable (recommended)
const tenzro = new Tenzro({
  apiKey: process.env.TENZRO_API_KEY,
});


// Or explicit configuration
const tenzro = new Tenzro({
  apiKey: 'dev_your_api_key_here',
});

Python SDK

from tenzro_cloud import Tenzro
import os


# Using environment variable (recommended)
tenzro = Tenzro(
    api_key=os.environ.get("TENZRO_API_KEY")
)


# Or explicit configuration
tenzro = Tenzro(
    api_key="dev_your_api_key_here"
)

REST API Authentication

# Using Authorization header (recommended)
curl https://api.cloud.tenzro.com/cloud/vec/databases \
  -H "Authorization: Bearer dev_your_api_key_here" \
  -H "Content-Type: application/json"


# Example with POST request
curl -X POST https://api.cloud.tenzro.com/cloud/ai/infer \
  -H "Authorization: Bearer dev_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "gemini-2.5-flash",
    "messages": [{"role": "user", "content": "Hello!"}]
  }'

Client Keys for Browsers

Client keys (with client_ prefix) are designed for browser and mobile applications where the key may be exposed. They include additional security restrictions:

  • Strict rate limiting: 100 requests/minute by default
  • Domain restrictions: CORS policy limits to allowed domains
  • Limited permissions: No admin operations or sensitive data access
  • Usage tracking: Monitor usage per client IP/domain
  • Reduced token limits: Lower AI inference quotas
// Browser-safe usage with client key
import { Tenzro } from '@tenzro/cloud';


const tenzro = new Tenzro({
  apiKey: 'client_your_client_key_here', // Safe to expose in frontend
});


// Rate-limited AI inference
const response = await tenzro.ai.infer({
  model: 'gemini-2.5-flash',
  messages: [{ role: 'user', content: 'Hello!' }],
});

Key Rotation

Best practices for rotating API keys:

  1. Create the new key first: Generate a new API key before revoking the old one
  2. Update your applications: Deploy the new key to all services using rolling updates
  3. Monitor for errors: Watch for 401 errors indicating old key usage
  4. Revoke the old key: Once all services use the new key, revoke the old one

Recommended rotation schedule:

  • Development keys: Rotate every 6-12 months or when exposed
  • Production keys: Rotate every 90 days
  • Client keys: Rotate when domains change or security incidents occur

Revoking Keys

Revoked keys are immediately invalidated. All requests using a revoked key will return 401 Unauthorized.

  1. Go to Settings → API Keys
  2. Find the key to revoke
  3. Click the menu (⋮) and select Revoke
  4. Confirm the revocation

Usage Monitoring

Track API key usage in the console:

  • Requests: Total API calls per key
  • Bandwidth: Data transferred
  • Errors: Failed requests and error rates
  • Last Used: Most recent activity

Security Best Practices

  • Never commit API keys to version control
  • Use .env files locally, secrets in production
  • Set the minimum required permissions
  • Use client keys for frontend applications
  • Enable IP allowlists for production keys
  • Set up usage alerts for anomaly detection