Authorization header. API keys are verified through Unkey — there are no cookies, sessions, or OAuth flows, just a single header on every request. If the header is missing, invalid, disabled, or expired, the API returns a 401 Unauthorized response immediately.
Getting Your API Key
Log in to your workspace
Go to testyourappnow.com and sign in to your account.
Create a new key
Click Create Key and give it a descriptive name that identifies the integration — for example,
GitHub Actions or Staging Monitor.Using Your API Key
Pass your API key in theAuthorization header of every request using the Bearer scheme. Since every endpoint uses POST with a JSON body, always include Content-Type: application/json as well:
tyan_live_xxxxxxxxxxxx with your actual API key. The key works the same way regardless of which endpoint you’re calling.
Security Best Practices
- Use environment variables. Store your API key in an environment variable (e.g.,
TYAN_API_KEY) and read it at runtime rather than hardcoding it in your code. - Use a secrets manager. For production deployments, store keys in a dedicated secrets manager such as AWS Secrets Manager, HashiCorp Vault, or GitHub Actions Secrets.
- Create one key per integration. Assign a separate API key to each service or pipeline that calls the API (CI, a monitoring script, a webhook receiver, etc.). That way, if one key is compromised, you can revoke it without disrupting other integrations.
- Rotate keys periodically. Even if a key hasn’t been exposed, rotating it regularly limits the window of risk.
Authentication Errors
| HTTP Status | Meaning |
|---|---|
401 | The Authorization header is missing, or the API key is invalid, disabled, or expired |
402 | The API key is valid but your account has run out of credits |
403 | The API key is valid but lacks permission, or the target domain is unverified |
429 | You’ve hit the rate limit for this API key |