# Manage API Keys (https://tenki.cloud/docs/account/api-keys)

> For the complete documentation index, see [llms.txt](https://tenki.cloud/llms.txt)

Create, store, rotate, and revoke Tenki API keys for Sandbox SDKs, CLI automation, and CI.



Tenki API keys authenticate the Sandbox SDKs and non-interactive CLI sessions. A key begins with `tk_`, and the
SDKs read it from the `TENKI_API_KEY` environment variable by default. Tenki Runners and Code Reviewer use their
GitHub App connections instead of API keys.

Create an API key [#create-an-api-key]

1. [Sign in to the Tenki dashboard](https://app.tenki.cloud) and select **Tenki Sandbox**.
2. Complete Sandbox onboarding. Tenki creates the initial API key for you; copy it when it is shown and save it
   in your shell or secret manager.
3. To create another key or control expiration, open **API Keys** and select **Create API Key**.
4. Enter a **Key Name**, optionally select an expiration date, and select **Create Key**.
5. Copy the new key when it is shown and store it securely.

![Create API key dialog in the Tenki dashboard](https://tenki.cloud/images/docs/sandbox/create-api-key.png)

Use the key [#use-the-key]

Export the key before running an SDK program:

```bash
export TENKI_API_KEY=tk_your_api_key
```

For a non-interactive CLI login, pass the same value directly:

```bash
tenki login --api-key tk_your_api_key
tenki status
```

The CLI can also authenticate without an API key by running `tenki login` and completing browser sign-in. See
the [Sandbox Quickstart](/docs/sandbox/quick-start-sandbox#2-authenticate) for the complete setup flow.

Rotate or revoke a key [#rotate-or-revoke-a-key]

To rotate a key without interrupting automation:

1. Create a replacement key.
2. Update every application, CI secret, or secret manager that uses the old key.
3. Verify the replacement key with `tenki status` or an SDK request.
4. Return to **API Keys**, select the delete button beside the old key, and confirm **Revoke API Key**.

Revocation takes effect immediately and cannot be undone.

Keep keys secure [#keep-keys-secure]

* Store keys in a secret manager or your CI provider's encrypted secrets.
* Never commit a key to source control or paste one into an issue, pull request, or support message.
* Use descriptive names so you can identify each key's owner and purpose.
* Set an expiration date appropriate for the workload and revoke keys that are no longer used.
* If a key is exposed, replace it and revoke the exposed key immediately.

Need a Workspace ID as well? See [Find your Workspace ID](/docs/account/members-and-settings#find-your-workspace-id).
