> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tokmodel.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage your TokModel API keys: create, rotate, revoke

> Learn how to create, name, use, rotate, and revoke TokModel API keys to authenticate your application and keep credentials secure.

Every request to the TokModel API must include an API key. Keys are created in the [TokModel console](https://tokmodel.com/console) and passed as a bearer token in the `Authorization` header. You can create multiple keys — one per environment or application — so that you can rotate or revoke them independently without disrupting other services.

## Create your first API key

<Steps>
  <Step title="Open the console">
    Go to [https://tokmodel.com/console](https://tokmodel.com/console) and log in to your account.
  </Step>

  <Step title="Navigate to API keys">
    In the left sidebar, click **API Keys**. You will see a list of any keys you have already created.
  </Step>

  <Step title="Click Create key">
    Click the **Create key** button in the top-right corner of the API Keys page.
  </Step>

  <Step title="Name your key">
    Enter a descriptive name such as `production-backend` or `dev-local`. A clear name makes it easier to identify and revoke a specific key later.
  </Step>

  <Step title="Copy the key immediately">
    After creation, the full key is shown exactly once. Copy it to a secure location before closing the dialog.

    <Warning>
      TokModel does not store your API key after it is generated. If you close this dialog without copying the key, you will need to delete it and create a new one.
    </Warning>
  </Step>
</Steps>

## Key naming and organization

Use names that reflect where and how the key is used. Good examples:

* `prod-api-server` — the key used by your production backend
* `staging-worker` — a background job in a staging environment
* `local-dev-alice` — a personal key for local development

Avoid generic names like `key1` or `test`. When you need to revoke a key after a credential leak, an ambiguous name makes it harder to identify the right one quickly.

## Use a key in API requests

Pass your key as a bearer token in the `Authorization` header of every request.

```bash theme={null}
curl https://tokmodel.com/v1/chat/completions \
  -H "Authorization: Bearer $TOKMODEL_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "openai/gpt-4o",
    "messages": [{"role": "user", "content": "Hello!"}]
  }'
```

### Set the key as an environment variable

Store your key in an environment variable rather than hard-coding it in source files. This keeps credentials out of version control.

```bash theme={null}
export TOKMODEL_API_KEY="tm-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
```

Then read it in your application:

```python theme={null}
import os
import httpx

api_key = os.environ["TOKMODEL_API_KEY"]

response = httpx.post(
    "https://tokmodel.com/v1/chat/completions",
    headers={"Authorization": f"Bearer {api_key}"},
    json={
        "model": "openai/gpt-4o",
        "messages": [{"role": "user", "content": "Hello!"}],
    },
)
print(response.json())
```

```javascript theme={null}
const apiKey = process.env.TOKMODEL_API_KEY;

const response = await fetch("https://tokmodel.com/v1/chat/completions", {
  method: "POST",
  headers: {
    Authorization: `Bearer ${apiKey}`,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    model: "openai/gpt-4o",
    messages: [{ role: "user", content: "Hello!" }],
  }),
});

const data = await response.json();
console.log(data);
```

## Rotate a key

If you suspect a key has been compromised, or you want to rotate credentials as a routine security practice:

1. Create a new API key in the console and give it a name that reflects its purpose.
2. Deploy the new key to your application or environment.
3. Verify that the new key is working correctly in production.
4. Revoke the old key (see below).

Rotating before revoking ensures there is no gap in service availability.

## Revoke a key

To delete a key, open the **API Keys** page in the console, find the key by name, and click **Revoke**. The key is immediately invalidated — any in-flight or future requests using it will receive a `401 Unauthorized` response.

## Security best practices

* **Never share API keys.** Do not paste keys in chat messages, emails, GitHub issues, or support tickets.
* **Use environment variables.** Never hard-code a key directly in source code or commit it to a repository.
* **Use one key per environment.** Separate keys for development, staging, and production make it easy to rotate credentials in one environment without affecting others.
* **Revoke unused keys.** Delete keys that are no longer needed to minimize your attack surface.
* **Audit periodically.** Review the API Keys list regularly and remove any keys whose purpose you no longer recognize.
