Authentication¶
Send the raw API key in the X-API-Key header on every request. The server stores only
the SHA256 hash — once a key is revoked it cannot be recovered.
Key format¶
- Prefixed
tlyt_followed by 43 base64url characters - Default rate limit: 10 requests / second per key (returns
429 Rate limit exceeded (10 req/sec)when exceeded) - Up to 3 active keys per user — name them descriptively
- Revoke immediately on suspected compromise — won't affect your other keys
Best practices¶
- Store in an environment variable, never in source control
- Rotate every 90 days as a habit
- One key per script (e.g.
trading-bot-prod,backtester-dev)
Lost a key?
Revoke it from your Profile page and generate a new one. There is no recovery flow — raw keys are not stored on our servers.