-
Notifications
You must be signed in to change notification settings - Fork 0
API Keys
API keys authenticate your application's SDK with the tmam server. Each key is scoped to a specific organization and project.
tmam generates two values when you create an API key:
Key | Format | Purpose -- | -- | -- Public Key | pk-tmam-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | Identifies your key (safe to log) Secret Key | sk-tmam-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | Authenticates your requests (keep private)
⚠️ The secret key is shown only once at creation. Copy it immediately and store it securely. If lost, you must delete the key and create a new one. The server only stores a bcrypt hash of the secret — it cannot be recovered.
- Sign in to the dashboard
- Navigate to Settings → API Keys
- Select the Organization and Project the key should be scoped to
- Enter a descriptive name for the key (e.g.
production-app,staging) - Click Generate
- Copy both the public key and secret key — the secret is shown only once
Pass the keys to init():
from tmam import init
init(
url="http://localhost:5050/api/sdk",
public_key="pk-tmam-xxxxxxxx",
secrect_key="sk-tmam-xxxxxxxx",
application_name="my-app",
environment="production",
)
Or set them as environment variables:
export TMAM_URL="http://localhost:5050/api/sdk"
export TMAM_PUBLIC_KEY="pk-tmam-xxxxxxxx"
export TMAM_SECRET_KEY="sk-tmam-xxxxxxxx"
from tmam import init
init(application_name="my-app") # reads keys from environment
The SDK sends the keys as HTTP headers on every request to /api/sdk:
X-Public-Key: pk-tmam-xxxxxxxx
X-Secret-Key: sk-tmam-xxxxxxxx
The server:
- Looks up the key record by public key
- Compares the incoming secret key against the stored bcrypt hash
- Grants access to the scoped organization and project if valid
The plaintext secret is never stored — only its hash. This means a leaked database does not expose valid SDK credentials.
From Settings → API Keys you can:
- View all keys — see key names, short previews, and when they were created
- Copy public key — re-copy the public key at any time
- Delete a key — immediately revokes all access for that key
Each API key is bound to one organization and one project. All telemetry sent using a key is automatically attributed to that org/project combination in the dashboard.
To send data from multiple projects, create separate API keys for each.
- Never commit keys to version control — use environment variables or a secrets manager
- Use separate keys per environment (production, staging, dev) for clean data separation
- Rotate keys regularly — delete the old key and create a new one
- Use descriptive names so you can identify which key belongs to which service
- Restrict access — only admins can create and delete keys within an organization