Account

Manage API Keys

Create, store, rotate, and revoke Tenki API keys for Sandbox SDKs, CLI automation, and CI.

Tenki API keys authenticate the Sandbox SDKs and non-interactive CLI sessions. A key begins with tk_, and the SDKs read it from the TENKI_API_KEY environment variable by default. Tenki Runners and Code Reviewer use their GitHub App connections instead of API keys.

Create an API key

  1. Sign in to the Tenki dashboard and select Tenki Sandbox.
  2. Complete Sandbox onboarding. Tenki creates the initial API key for you; copy it when it is shown and save it in your shell or secret manager.
  3. To create another key or control expiration, open API Keys and select Create API Key.
  4. Enter a Key Name, optionally select an expiration date, and select Create Key.
  5. Copy the new key when it is shown and store it securely.
Create API key dialog in the Tenki dashboard

Use the key

Export the key before running an SDK program:

export TENKI_API_KEY=tk_your_api_key

For a non-interactive CLI login, pass the same value directly:

tenki login --api-key tk_your_api_key
tenki status

The CLI can also authenticate without an API key by running tenki login and completing browser sign-in. See the Sandbox Quickstart for the complete setup flow.

Rotate or revoke a key

To rotate a key without interrupting automation:

  1. Create a replacement key.
  2. Update every application, CI secret, or secret manager that uses the old key.
  3. Verify the replacement key with tenki status or an SDK request.
  4. Return to API Keys, select the delete button beside the old key, and confirm Revoke API Key.

Revocation takes effect immediately and cannot be undone.

Keep keys secure

  • Store keys in a secret manager or your CI provider's encrypted secrets.
  • Never commit a key to source control or paste one into an issue, pull request, or support message.
  • Use descriptive names so you can identify each key's owner and purpose.
  • Set an expiration date appropriate for the workload and revoke keys that are no longer used.
  • If a key is exposed, replace it and revoke the exposed key immediately.

Need a Workspace ID as well? See Find your Workspace ID.