Authentication
All TrueEntropy API requests require authentication via API keys. Keys are generated in your Developer Dashboard and use Bearer token authentication.
API Key Format
TrueEntropy API keys follow a consistent format for easy identification:
| Prefix | Environment | Example |
|---|---|---|
| te_live_ | Production | te_live_a7f2b9c4d8e1f3a5b7c9d2e4f6a8b0c3 |
| te_test_ | Sandbox | te_test_9d0ea1b3c5d7e9f1a3b5c7d9e1f3a5b7 |
Using Your Key
Include your API key in the Authorization header of every request:
Authorization: Bearer te_live_a7f2b9c4d8e1f3a5...
Scoped Permissions
API keys can be created with specific scopes to limit access:
| Scope | Access |
|---|---|
| * (all) | Full access to all endpoints |
| entropy:read | Read-only access to entropy endpoints (integers, bytes, floats, uuid, bitstring) |
| entropy:batch | Access to the batch endpoint only |
| entropy:shuffle | Access to the shuffle endpoint only |
| certificate:read | Access to certificate retrieval |
| usage:read | Access to usage statistics |
Key Rotation
API keys can be rotated from the API Keys page in your dashboard. When you rotate a key:
- A new key is generated with the same name, scopes, and environment
- The old key remains active for 24 hours (grace period)
- After 24 hours, the old key is permanently revoked
Security Best Practices
- Never embed keys in client-side code - Always call the API from your backend
- Use environment variables - Store keys in
.envfiles, not source code - Use scoped keys - Create keys with minimum required permissions
- Rotate regularly - Set a rotation schedule (e.g. every 90 days)
- Monitor usage - Set up usage alerts in your dashboard to detect anomalous activity
Key Storage
TrueEntropy stores your API keys using Argon2id hashing. We cannot retrieve your full key after creation - only the prefix is visible in your dashboard. If you lose a key, you must create a new one.