TorkTORK

Authentication

API Keys

Learn how to create, manage, and secure your Tork API keys.

What are API Keys?

API keys are unique identifiers that authenticate your requests to the Tork API. Each key is tied to your organization and grants access to all Tork services within your plan's limits.

Your API key looks like this: tork_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Keys are Secrets

Your API key is like a password. Anyone with your key can make requests on your behalf and you'll be billed for their usage.

Creating and Managing Keys

Creating a New Key

  1. Go to the API Keys page in your dashboard
  2. Click "Create Key"
  3. Give your key a descriptive name (e.g., "Production Server", "Development")
  4. Important: Copy and save your key immediately - you won't be able to see it again

Using Your Key

Include your API key in the Authorization header:

bash
curl -X POST https://api.tork.network/v1/govern \
  -H "Authorization: Bearer tork_live_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{"agent_id": "my-agent", "action": "check"}'

Revoking a Key

If a key is compromised or no longer needed, revoke it immediately from the dashboard. Revoked keys stop working instantly.

Security Best Practices

Critical Security Warning

You are responsible for all API usage made with your keys. Protect them like passwords. Leaked keys can result in unexpected charges and potential data exposure.

Never Share Keys Publicly

Don't commit API keys to Git repositories, share them in Slack/email, or include them in client-side code. Attackers scan public repositories for leaked credentials.

Use Environment Variables

Store keys in environment variables or secret management services (AWS Secrets Manager, HashiCorp Vault). Never hardcode keys in your application source code.

Rotate Keys Every 90 Days

Regular key rotation limits the blast radius if a key is compromised. Create a new key, update your applications, then revoke the old key.

Revoke Immediately if Compromised

If you suspect a key has been exposed, revoke it immediately from your dashboard. Don't wait - create a new key and update your systems.

Use Separate Keys for Environments

Create different keys for development, staging, and production. This limits damage if a dev key is leaked and helps you track usage per environment.

Monitor Your Usage

Regularly check your usage dashboard for unexpected spikes or patterns. Set up alerts to be notified of unusual activity.

Environment Variables Example

bash
# .env file (never commit this!)
TORK_API_KEY=tork_live_your_api_key_here

# In your application
import os
api_key = os.environ.get("TORK_API_KEY")
javascript
// Node.js example
const apiKey = process.env.TORK_API_KEY;

// Always validate the key exists
if (!apiKey) {
  throw new Error("TORK_API_KEY environment variable is required");
}

When to Rotate or Revoke Keys

Revoke and create new keys in these situations:

  • Key exposed: If your key was committed to a public repo, shared in a public channel, or otherwise leaked
  • Team member leaves: When someone with key access leaves your organization
  • Unusual activity: If you see unexpected API calls or usage patterns
  • Regular rotation: As part of your security hygiene (every 90 days recommended)
  • Security incident: After any security breach, even if keys weren't directly involved

Key Rotation Process

1) Create a new key, 2) Update your applications to use the new key, 3) Verify the new key works, 4) Revoke the old key. This ensures zero downtime.

Key Limits by Plan

Each plan has different limits for the number of API keys you can create:

PlanAPI KeysRate Limit
Free2100/min
Starter5500/min
Pro102,000/min
EnterpriseUnlimitedCustom

Need more keys? Upgrade your plan or contact us for Enterprise options.

Need Help?

If you have questions about API key security or need to report a potential leak, contact us immediately at security@tork.network.

Documentation

Learn to integrate TORK

Upgrade Plan

Current: free

Support

Get help from our team