Skip to main content
Every request to the TYAN API must include a valid API key passed as a Bearer token in the Authorization header. API keys are verified through Unkey — there are no cookies, sessions, or OAuth flows, just a single header on every request. If the header is missing, invalid, disabled, or expired, the API returns a 401 Unauthorized response immediately.

Getting Your API Key

1

Log in to your workspace

Go to testyourappnow.com and sign in to your account.
2

Navigate to API Keys

Open Settings → Workspace → API Keys in the left-hand navigation.
3

Create a new key

Click Create Key and give it a descriptive name that identifies the integration — for example, GitHub Actions or Staging Monitor.
4

Copy your key immediately

Your full API key is shown only once at creation time. Copy it now and store it in a safe location. If you lose it, you’ll need to revoke the old key and create a new one.

Using Your API Key

Pass your API key in the Authorization header of every request using the Bearer scheme. Since every endpoint uses POST with a JSON body, always include Content-Type: application/json as well:
curl -X POST https://api.testyourappnow.com/test/flow \
  -H "Authorization: Bearer tyan_live_xxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{ "action": "list" }'
Replace tyan_live_xxxxxxxxxxxx with your actual API key. The key works the same way regardless of which endpoint you’re calling.

Security Best Practices

Never commit API keys to source control. If you accidentally expose a key in a public repository, revoke it immediately from Settings → Workspace → API Keys → Revoke and generate a new one.
  • Use environment variables. Store your API key in an environment variable (e.g., TYAN_API_KEY) and read it at runtime rather than hardcoding it in your code.
  • Use a secrets manager. For production deployments, store keys in a dedicated secrets manager such as AWS Secrets Manager, HashiCorp Vault, or GitHub Actions Secrets.
  • Create one key per integration. Assign a separate API key to each service or pipeline that calls the API (CI, a monitoring script, a webhook receiver, etc.). That way, if one key is compromised, you can revoke it without disrupting other integrations.
  • Rotate keys periodically. Even if a key hasn’t been exposed, rotating it regularly limits the window of risk.

Authentication Errors

HTTP StatusMeaning
401The Authorization header is missing, or the API key is invalid, disabled, or expired
402The API key is valid but your account has run out of credits
403The API key is valid but lacks permission, or the target domain is unverified
429You’ve hit the rate limit for this API key