Authentication
All Tenzro Platform API requests require authentication using API keys. This guide covers how to obtain, configure, and secure your API credentials.
API Keys
API keys are created in the Tenzro Platform dashboard. Each key is scoped to a specific tenant and can have granular permissions.
Key Format
tz_<environment>_<random_string>
Examples:
tz_prod_xxxxxxxxxxxxxxxxxxxx (production)
tz_dev_xxxxxxxxxxxxxxxxxxxx (development)
tz_test_xxxxxxxxxxxxxxxxxxxx (test/sandbox)Request Headers
Include these headers with every API request:
| Header | Description | Required |
|---|---|---|
Authorization | Bearer token with your API key | Yes |
X-Tenant-ID | Your tenant identifier | Yes |
Content-Type | application/json for POST/PUT/PATCH | For body requests |
X-Idempotency-Key | Unique key for idempotent requests | Recommended |
Example Request
curl -X POST "https://api.platform.tenzro.com/api/wallet/create" \
-H "Authorization: Bearer tz_prod_xxxxxxxxxxxx" \
-H "X-Tenant-ID: tenant_abc123" \
-H "Content-Type: application/json" \
-H "X-Idempotency-Key: unique-request-id" \
-d '{"name": "Treasury", "type": "multi-sig"}'API Key Scopes
API keys can be restricted to specific services and operations:
| Scope | Description |
|---|---|
wallet:read | Read wallet information |
wallet:write | Create and modify wallets |
token:transfer | Execute token transfers |
bridge:execute | Execute cross-chain transfers |
custody:sign | Sign transactions |
ledger:read | Read ledger entries |
ledger:write | Create ledger entries |
ai:inference | Run AI inference |
anchor:write | Anchor data to blockchain |
admin:* | Full administrative access |
Key Rotation
API keys should be rotated regularly. The platform supports zero-downtime rotation:
// Create a new key before revoking the old one
const newKey = await platform.apiKeys.create({
name: 'Production Key v2',
scopes: ['wallet:*', 'token:*', 'bridge:*'],
expiresAt: '2025-12-31T23:59:59Z',
});
// Update your application to use the new key
// Then revoke the old key
await platform.apiKeys.revoke('old-key-id');Security Best Practices
- Never expose keys in client-side code - API keys should only be used in server-side applications
- Use environment variables - Store keys in environment variables, never in source code
- Restrict scopes - Only grant the minimum permissions needed
- Set expiration dates - Use short-lived keys when possible
- Monitor usage - Review API key usage in the dashboard regularly
- Use IP allowlists - Restrict API key usage to specific IP addresses
Rate Limiting
API requests are rate limited per API key. Current limits are returned in response headers:
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests per window |
X-RateLimit-Remaining | Requests remaining in window |
X-RateLimit-Reset | Unix timestamp when limit resets |
When rate limited, requests return 429 Too Many Requests with aRetry-After header.
Error Responses
Authentication errors return appropriate HTTP status codes:
| Status | Error | Description |
|---|---|---|
401 | Unauthorized | Missing or invalid API key |
403 | Forbidden | Key lacks required scope |
429 | Too Many Requests | Rate limit exceeded |