> ## Documentation Index
> Fetch the complete documentation index at: https://docs.testyourappnow.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate Requests with a API Key

> Generate and manage API keys from your workspace settings, then pass them as Bearer tokens to authenticate every TYAN API request.

Every request to the TYAN API must include a valid API key passed as a Bearer token in the `Authorization` header. API keys are verified through Unkey — there are no cookies, sessions, or OAuth flows, just a single header on every request. If the header is missing, invalid, disabled, or expired, the API returns a `401 Unauthorized` response immediately.

## Getting Your API Key

<Steps>
  <Step title="Log in to your workspace">
    Go to [testyourappnow.com](https://testyourappnow.com) and sign in to your account.
  </Step>

  <Step title="Navigate to API Keys">
    Open **Settings → Workspace → API Keys** in the left-hand navigation.
  </Step>

  <Step title="Create a new key">
    Click **Create Key** and give it a descriptive name that identifies the integration — for example, `GitHub Actions` or `Staging Monitor`.
  </Step>

  <Step title="Copy your key immediately">
    Your full API key is shown **only once** at creation time. Copy it now and store it in a safe location. If you lose it, you'll need to revoke the old key and create a new one.
  </Step>
</Steps>

## Using Your API Key

Pass your API key in the `Authorization` header of every request using the `Bearer` scheme. Since every endpoint uses `POST` with a JSON body, always include `Content-Type: application/json` as well:

```bash theme={null}
curl -X POST https://api.testyourappnow.com/test/flow \
  -H "Authorization: Bearer tyan_live_xxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{ "action": "list" }'
```

Replace `tyan_live_xxxxxxxxxxxx` with your actual API key. The key works the same way regardless of which endpoint you're calling.

## Security Best Practices

<Warning>
  Never commit API keys to source control. If you accidentally expose a key in a public repository, revoke it immediately from **Settings → Workspace → API Keys → Revoke** and generate a new one.
</Warning>

* **Use environment variables.** Store your API key in an environment variable (e.g., `TYAN_API_KEY`) and read it at runtime rather than hardcoding it in your code.
* **Use a secrets manager.** For production deployments, store keys in a dedicated secrets manager such as AWS Secrets Manager, HashiCorp Vault, or GitHub Actions Secrets.
* **Create one key per integration.** Assign a separate API key to each service or pipeline that calls the API (CI, a monitoring script, a webhook receiver, etc.). That way, if one key is compromised, you can revoke it without disrupting other integrations.
* **Rotate keys periodically.** Even if a key hasn't been exposed, rotating it regularly limits the window of risk.

## Authentication Errors

| HTTP Status | Meaning                                                                                |
| ----------- | -------------------------------------------------------------------------------------- |
| `401`       | The `Authorization` header is missing, or the API key is invalid, disabled, or expired |
| `402`       | The API key is valid but your account has run out of credits                           |
| `403`       | The API key is valid but lacks permission, or the target domain is unverified          |
| `429`       | You've hit the rate limit for this API key                                             |
