TenantboxTenantbox Docs
Back to Dashboard
tenantbox.dev Get started

Authentication

Tenantbox uses API keys to authenticate requests. Every project gets its own API key, include it as a Bearer token on every request.

How it works

When you create a project from the dashboard, Tenantbox generates an API key. The raw key is shown only once at creation time — Tenantbox only stores a SHA-256 hash of it. If you lose it, you'll need to regenerate a new one from the project settings.

API key format
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Sending the API key

Pass your API key in the Authorization header as a Bearer token on every request:

Example authenticated request
curl -X POST https://api.Tenantbox.dev/api/storage/upload/ \
  -H "Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "tenant_id": "user_123",
    "filename": "contract.pdf"
  }'

Key scoping

Each API key is scoped to a single project. It can only read and write data belonging to that project's tenants. A key from Project A cannot access files from Project B.

Project scoped

One key per project. Keys only work within their own project namespace.

Hashed storage

Tenantbox never stores the raw key. Only a SHA-256 hash is kept.

Rotatable

Regenerate your key anytime from the project page if it's compromised.

Regenerating a key

If your key is compromised or you need to rotate it, go to your project page in the dashboard and click Regenerate. The old key is invalidated immediately — any integrations using it will start failing until updated.

Regeneration is immediate and irreversible. Update all services using the old key before confirming. There is no grace period.

Best practices

Only use API keys in server-side code. Never expose them in frontend JavaScript, mobile apps, or public repositories.

Store keys in environment variables, not hardcoded in source files.

Rotate keys regularly — especially before and after team member offboarding.

Regenerate immediately if you suspect a key has been exposed anywhere.

Use separate projects (and therefore separate keys) for production and staging environments.

Error responses

Requests with a missing or invalid API key return a 401 Unauthorized response:

401Unauthorized
{
  "detail": "Unauthorized"
}

Ready to upload files?

Head to the uploads guide to make your first file upload.

File uploads →