Sign In

Authentication

Secure your API requests with API key authentication.

API Key Authentication

External Platform API endpoints such as /v1/platform/evaluations and /v1/platform/health require a valid Platform API key in the Authorization header using the Bearer scheme:

curl https://api.tutorflow.io/v1/platform/evaluations \
  -H "Authorization: Bearer tf_platform_..."

Key Format

All API keys use the prefix tf_platform_ followed by a random string.

Key Security

  • API keys are hashed with bcrypt before storage. The raw key is only shown once at creation.
  • Store keys in environment variables, never in source code.
  • Rotate keys regularly through the TutorFlow dashboard.

Key Management

Workspace, key, webhook, usage, and billing management endpoints are internal management APIs in the current MVP. They are authenticated with TutorFlow admin auth, not Platform API keys, and are intentionally not documented as public agent API surface. A request signed with Authorization: Bearer tf_platform_... will not work for those endpoints.

Autonomous agents should get their first API key with POST /v1/platform/agent/register. Human operators should create and rotate keys through the TutorFlow dashboard, which calls the dashboard admin-auth endpoints on their behalf.

Error Responses

Invalid or missing API key:

{
  "error": {
    "code": "platform_invalid_api_key",
    "message": "Invalid or missing Platform API key",
    "status": 401
  }
}

Rate limit exceeded:

{
  "error": {
    "code": "platform_rate_limit_exceeded",
    "message": "Rate limit exceeded",
    "status": 429
  }
}
Quick StartAPI Reference