API Keys
Last updated on May 21, 2026
Anything that talks to the API outside the browser uses an API key. User keys authenticate as a user, and Station keys authenticate the bench. Both are bearer tokens that you pass in the Authorization header.
| Key type | Belongs to | Used by |
|---|---|---|
| User key | A specific user | Personal SDK use, ad-hoc scripts, CI jobs |
| Station key | A specific station | The CLI in Station mode and code on that bench |
User keys
User keys inherit the role and team scope of their owner, so a Developer's key writes Runs while a Viewer's key reads only. This means you control what a key can do by adjusting the owning user's role.
Create a user key
To mint a new key, you generate it from your settings and copy it once when it appears.
Open Settings > API keys.
Click Create key, give it a name, and pick an expiry.
Copy the key. It is shown once, so store it in a secrets manager or a .env file before you close the dialog.
Use a user key
You authenticate by sending the key as a bearer token, the same way you would with any REST API.
curl https://tofupilot.app/api/v2/runs \
-H "Authorization: Bearer $TOFUPILOT_API_KEY"Every SDK reads TOFUPILOT_API_KEY from the environment, so you do not need to pass the key in code.
from tofupilot.v2 import TofuPilot
client = TofuPilot() # reads TOFUPILOT_API_KEYRevoke a user key
When a key leaks or you no longer need it, revoke it from the same page where you created it.
- Open Settings > API keys.
- Find the key and select Revoke.
Revocation is immediate, and requests with the revoked key return 401 Unauthorized.
Station keys
A station key acts only on the station it was issued for. It writes runs for the station's Procedures, reads its own configuration, and reports health. It cannot read other stations' data, invite members, or change roles.
Create a station key
Station keys are issued when you register a station, so you do not create them by hand. The install command embeds a one-hour setup token, and the CLI exchanges it for a long-lived station key on first boot. For the full registration flow, see Stations.
Rotate a station key
When you need to rotate a station's credentials, the dashboard revokes the old key and the CLI re-runs setup automatically.
- Open Stations and pick the station.
- Click Rotate key. The old key is revoked.
- The CLI detects the revocation on its next request and re-runs setup with a new token.
Permissions
Keys inherit the permissions of their owner, so you do not configure permissions on the key itself.
- A user key carries the user's role, team assignments, and 2FA-enforcement status.
- A station key is scoped to the station's procedures and read-only access to its configuration.
Assign the right role and team, and keys are scoped automatically.
Audit and rotation
Every key carries created_at, last_used_at, and expires_at. You can sort by last_used_at to find stale keys, or by expires_at for keys nearing expiration.
How is this guide?
Two-Factor Authentication
Learn how to strengthen TofuPilot sign-in with a second factor, using passkeys or authenticator-app one-time codes, and how to enforce it org-wide.
Setup Tokens
Learn how TofuPilot setup tokens pre-authorize the CLI as a station with one-hour, single-use credentials redeemed on the test machine.