Skip to content

Authentication

Send the raw API key in the X-API-Key header on every request. The server stores only the SHA256 hash — once a key is revoked it cannot be recovered.

curl -H "X-API-Key: tlyt_your_key_here" ...

Key format

  • Prefixed tlyt_ followed by 43 base64url characters
  • Default rate limit: 10 requests / second per key (returns 429 Rate limit exceeded (10 req/sec) when exceeded)
  • Up to 3 active keys per user — name them descriptively
  • Revoke immediately on suspected compromise — won't affect your other keys

Best practices

  • Store in an environment variable, never in source control
  • Rotate every 90 days as a habit
  • One key per script (e.g. trading-bot-prod, backtester-dev)

Lost a key?

Revoke it from your Profile page and generate a new one. There is no recovery flow — raw keys are not stored on our servers.