Secret keys
Most API endpoints require a secret key. Pass it as a Bearer token in the Authorization header.
Authorization: Bearer tn_live_xxxxxxxxxxxxxxxxxxxx
tn_live_. Get yours from the dashboard.
Secret keys have full access to your account. Never expose them in client-side code, browser requests, or public repositories.
Publishable keys
The device endpoints (/identify and /validate) use a publishable key instead. Publishable keys are safe to embed in browser JavaScript.
POST /identify
Content-Type: application/json
{
"publishable_key": "pk_live_xxxxxxxxxxxxxxxxxxxx",
"components": { ... }
}
pk_live_. Find yours in the dashboard under API Keys.
Error responses
| Status | Meaning |
|---|
401 | Missing or invalid API key |
403 | Valid key, but quota exhausted — subscribe or buy top-up credits |
