| title | Authentication |
|---|---|
| description | Bearer credentials for the Tumban API — API keys for server use, session tokens for dashboard sessions. |
| icon | key |
{/* sources: src/auth, src/api/routes_auth.py */}
All Tumban API requests require an Authorization: Bearer <token> header.
Tumban accepts two token kinds:
- API keys (
sk_…) — long-lived secrets you create in the dashboard or via Create API key. Use these for server-to-server integration. - Session tokens — short-lived credentials issued to a signed-in dashboard user. Used by the Tumban dashboard. You generally do not handle these directly.
Authorization: Bearer sk_<64-hex-string>Any token starting with sk_ is treated as an API key; anything else is
treated as a session token.
API keys are scoped to your organization and can call every endpoint in this reference except the five management endpoints below. These require a dashboard session because they mutate authentication or organization-wide configuration.
| Endpoint | Required auth |
|---|---|
PATCH /org/settings |
Dashboard session, admin role |
POST /org/webhook-secret/rotate |
Dashboard session, admin role |
POST /org/api-keys |
Dashboard session (any role) |
GET /org/api-keys |
Dashboard session (any role) |
DELETE /org/api-keys/{key_id} |
Dashboard session (any role; see Revoke API key for role-aware ownership rules) |
API keys hitting any of these endpoints get 403 — credential
management is intentionally locked out of sk_… auth so a leaked key
cannot mint, list, or revoke other keys. See
Errors → common detail strings for
the exact detail text to match on.
Each request looks up the key by SHA-256 hash, scopes the request to the
key's organization, and updates the key's last_used_at timestamp.
Revoked keys return 401 Invalid or revoked API key.
Tumban does not expire API keys automatically. To rotate:
- Create a new key and deploy it to your servers.
- Once traffic has cut over (watch
last_used_aton the old key via List API keys), revoke the old key.
There is no overlap window beyond the time it takes you to deploy — both keys remain valid until the old one is revoked.
Tumban only stores the SHA-256 hash of an API key. The raw sk_… value is
returned exactly once at creation time. If you lose it, revoke the key and
create a new one.
Every authenticated request resolves to exactly one org_id. Tumban
treats it as an opaque, case-sensitive string — do not regex-match
it against a hex or numeric alphabet. The leading org_ prefix is the
only guaranteed part of the shape. Examples (org_2abc...) in this
reference are illustrative; the body is alphanumeric and may include
mixed case.
| Status | Meaning |
|---|---|
| 401 | Missing Authorization header, malformed Bearer prefix, or invalid/revoked credential. |
| 403 | Token decodes but the active organization context is missing (session tokens only), or API-key auth was used on one of the five endpoints that require a dashboard session (see table above), or the role is insufficient on an admin-only endpoint. |
See Errors for the full error envelope.