Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.tokmodel.com/llms.txt

Use this file to discover all available pages before exploring further.

Every request to the TokModel API must include an API key. Keys are created in the TokModel console and passed as a bearer token in the Authorization header. You can create multiple keys — one per environment or application — so that you can rotate or revoke them independently without disrupting other services.

Create your first API key

1

Open the console

Go to https://tokmodel.com/console and log in to your account.
2

Navigate to API keys

In the left sidebar, click API Keys. You will see a list of any keys you have already created.
3

Click Create key

Click the Create key button in the top-right corner of the API Keys page.
4

Name your key

Enter a descriptive name such as production-backend or dev-local. A clear name makes it easier to identify and revoke a specific key later.
5

Copy the key immediately

After creation, the full key is shown exactly once. Copy it to a secure location before closing the dialog.
TokModel does not store your API key after it is generated. If you close this dialog without copying the key, you will need to delete it and create a new one.

Key naming and organization

Use names that reflect where and how the key is used. Good examples:
  • prod-api-server — the key used by your production backend
  • staging-worker — a background job in a staging environment
  • local-dev-alice — a personal key for local development
Avoid generic names like key1 or test. When you need to revoke a key after a credential leak, an ambiguous name makes it harder to identify the right one quickly.

Use a key in API requests

Pass your key as a bearer token in the Authorization header of every request. 
curl https://tokmodel.com/v1/chat/completions \
  -H "Authorization: Bearer $TOKMODEL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "openai/gpt-4o",
    "messages": [{"role": "user", "content": "Hello!"}]
  }'

Set the key as an environment variable

Store your key in an environment variable rather than hard-coding it in source files. This keeps credentials out of version control. 
export TOKMODEL_API_KEY="tm-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Then read it in your application: 
import os
import httpx

api_key = os.environ["TOKMODEL_API_KEY"]

response = httpx.post(
    "https://tokmodel.com/v1/chat/completions",
    headers={"Authorization": f"Bearer {api_key}"},
    json={
        "model": "openai/gpt-4o",
        "messages": [{"role": "user", "content": "Hello!"}],
    },
)
print(response.json())

const apiKey = process.env.TOKMODEL_API_KEY;

const response = await fetch("https://tokmodel.com/v1/chat/completions", {
  method: "POST",
  headers: {
    Authorization: `Bearer ${apiKey}`,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    model: "openai/gpt-4o",
    messages: [{ role: "user", content: "Hello!" }],
  }),
});

const data = await response.json();
console.log(data);

Rotate a key

If you suspect a key has been compromised, or you want to rotate credentials as a routine security practice:
  1. Create a new API key in the console and give it a name that reflects its purpose.
  2. Deploy the new key to your application or environment.
  3. Verify that the new key is working correctly in production.
  4. Revoke the old key (see below).
Rotating before revoking ensures there is no gap in service availability.

Revoke a key

To delete a key, open the API Keys page in the console, find the key by name, and click Revoke. The key is immediately invalidated — any in-flight or future requests using it will receive a 401 Unauthorized response.

Security best practices

  • Never share API keys. Do not paste keys in chat messages, emails, GitHub issues, or support tickets.
  • Use environment variables. Never hard-code a key directly in source code or commit it to a repository.
  • Use one key per environment. Separate keys for development, staging, and production make it easy to rotate credentials in one environment without affecting others.
  • Revoke unused keys. Delete keys that are no longer needed to minimize your attack surface.
  • Audit periodically. Review the API Keys list regularly and remove any keys whose purpose you no longer recognize.