Content Integration uses dedicated API keys that start with tf_content_. These keys are separate from TutorFlow admin sessions. Admin sessions create and manage keys. External systems use the created key as a bearer token.
Who can create keys
A signed-in TutorFlow admin for the organization can create, list, rotate, and revoke Content API keys.
Get the admin session cookie
Key management calls use the TutorFlow admin session cookie named jwt. For email and password admin accounts, create a cookie jar first:
export TUTORFLOW_API_BASE_URL="https://api.tutorflow.io"
curl -c tutorflow-admin.cookies -X POST "$TUTORFLOW_API_BASE_URL/auth/login" \
-H "Content-Type: application/json" \
-H "Referer: https://tutorflow.io/sign-in" \
-d '{
"email": "admin@example.com",
"password": "your-password",
"timezone": "Asia/Seoul"
}'Use the cookie jar on key management requests with -b tutorflow-admin.cookies. The login response does not return a Content API key. It only establishes the admin session that is allowed to create the dedicated tf_content_ key.
Create a key
curl -X POST "https://api.tutorflow.io/v1/content/organizations/{organizationId}/api-keys" \
-H "Content-Type: application/json" \
-b tutorflow-admin.cookies \
-d '{
"name": "external-content-test",
"rateLimitPerMinute": 60
}'Response:
{
"apiKey": "tf_content_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"keyId": "0b063e58-7e19-4787-90f0-d081c85f50d3",
"keyPrefix": "tf_content_abc123def456",
"name": "external-content-test",
"rateLimitPerMinute": 60
}The apiKey value is shown once. Store it immediately.
List keys
curl "https://api.tutorflow.io/v1/content/organizations/{organizationId}/api-keys" \
-b tutorflow-admin.cookiesResponse:
[
{
"id": "0b063e58-7e19-4787-90f0-d081c85f50d3",
"name": "external-content-test",
"keyPrefix": "tf_content_abc123def456",
"status": "ACTIVE",
"organizationId": "00000000-0000-4000-8000-000000000001",
"rateLimitPerMinute": 60,
"lastUsedAt": null,
"expiresAt": null
}
]List responses never include the full key or hash.
Rotate a key
Rotate a key when a secret owner changes or a key may have been exposed.
curl -X POST "https://api.tutorflow.io/v1/content/organizations/{organizationId}/api-keys/{keyId}/rotate" \
-b tutorflow-admin.cookiesResponse:
{
"apiKey": "tf_content_newxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"keyId": "3af3ff3d-5486-4a3e-932e-dbb68e6a7d65",
"keyPrefix": "tf_content_newabc123",
"name": "external-content-test",
"rateLimitPerMinute": 60
}Update the external system with the new key before sending new jobs.
Revoke a key
curl -X POST "https://api.tutorflow.io/v1/content/organizations/{organizationId}/api-keys/{keyId}/revoke" \
-b tutorflow-admin.cookiesRevoked keys immediately stop authorizing Content Integration requests.
Storage rules
- Store the full key in a secret manager.
- Never log the full
tf_content_value. - Include only
keyPrefixin support tickets. - Use separate keys for test and production.
- Rotate a key after staff changes, vendor changes, or suspected exposure.
Leaked key response
- Revoke the exposed key.
- Create or rotate to a new key.
- Update the external system secret.
- Retry one small request.
- Share the exposed key prefix and timestamp with TutorFlow support.