Skip to main content
API keys let you interact with Tusky programmatically through the REST API and the TypeScript SDK. Each key is scoped to your account and can be configured with specific permissions.

Creating an API Key

1

Open the API keys page

Navigate to app.tusky.io/account/api-keys in the Tusky dashboard.
2

Generate a new key

Click Create API Key. Provide a descriptive name (for example, production-backend or ci-pipeline) and select the permission scopes you need.
3

Copy your key

Your API key is displayed once after creation. Copy it immediately and store it securely.
You will not be able to view the full API key again. If you lose it, you must revoke the key and create a new one.

Permission Scopes

API keys can be scoped to limit what operations they are allowed to perform:
ScopeDescription
environments:readList and retrieve environment metadata
environments:writeCreate, update, and delete environments
files:readList, retrieve, and download files
files:writeUpload and delete files
members:readList environment members
members:writeAdd, update, and remove environment members
account:readRead account info, usage, and balance
aggregators:readRead aggregator configuration
aggregators:writeUpdate aggregator settings and custom domains
Follow the principle of least privilege: only grant the scopes your application needs. A key used solely for reading files should not have environments:write or members:write permissions.

Using Your API Key

With the SDK

Pass your API key when initializing the Tusky client: 
import Tusky from "@tusky-io/ts-sdk";

const tusky = new Tusky({
  apiKey: process.env.TUSKY_API_KEY,
});

With the REST API

Include the API key in the Authorization header of every request: 
curl https://api.tusky.io/v1/environments \
  -H "Authorization: Bearer $TUSKY_API_KEY"

Key Management

Rotation

Rotate API keys regularly, especially if they may have been exposed. To rotate:
  1. Create a new API key with the same scopes
  2. Update your application configuration to use the new key
  3. Verify the application works with the new key
  4. Revoke the old key
Tusky does not enforce automatic key expiration. You are responsible for rotating keys according to your organization’s security policy.

Revocation

Revoke a key instantly from the API keys page. Revocation takes effect immediately — any in-flight requests using the revoked key will fail.

Security Best Practices

API keys grant programmatic access to your Tusky account. Treat them like passwords.
  • Use environment variables — never hardcode API keys in source code 
    # .env (add to .gitignore)
TUSKY_API_KEY=tsk_live_...
  • Never commit keys to version control — use .gitignore to exclude .env files and audit your git history if a key is accidentally committed
  • Use separate keys per environment — create distinct keys for development, staging, and production
  • Scope keys narrowly — grant only the permissions each integration needs
  • Revoke unused keys — regularly audit your active keys and revoke any that are no longer needed
  • Monitor usage — check the dashboard for unexpected API activity that could indicate a compromised key
If you suspect a key has been compromised, revoke it immediately from the dashboard at app.tusky.io/account/api-keys. Then create a new key and update your application.

Next Steps

Fund Your Wallet

Add SUI and WAL to start uploading files.

Quickstart

Upload your first file using the SDK.