Search Documentation
Search through documentation, guides, and resources.
API Keys Management
Create, manage, and secure your Truuly API keys for programmatic access
Last Updated: January 27, 2025
Creating API Keys
Step 1: Navigate to API Keys
- Go to Settings → API Keys (or click your avatar → API Keys)
- Click the "+ Create API Key" button
Step 2: Configure Key Settings
Required Information:
- Key Name
Descriptive name to identify this key (e.g., "Production App", "Development", "Mobile App")
- Environment
Production or Development (dev keys have higher rate limits for testing)
- Permissions Optional
Limit what this key can do: Humanize only, Detect only, or Full access
- Rate Limit Optional
Custom rate limit lower than your plan limit (for security)
- Expiration Optional
Auto-expire key after X days (30, 90, 365, or never)
Step 3: Save Your Key
After clicking "Create", copy the full API key from the dialog. It looks like:
Store this in your environment variables or secrets manager - never commit it to code repositories!
API Key Types
Production Keys
LiveFor use in production applications. Starts with truuly_live_
Characteristics:
- • Counts against your monthly word limit
- • Subject to plan rate limits (100 req/min Pro, custom for Enterprise)
- • Used for real customer requests
- • Should be rotated periodically for security
Development Keys
TestFor testing and development. Starts with truuly_test_
Characteristics:
- • Does NOT count against monthly limits
- • Higher rate limits (500 req/min)
- • Limited to 1,000 words per request
- • Perfect for integration testing and development
Restricted Keys
Limited AccessKeys with custom permissions and rate limits for specific use cases.
Common Use Cases:
- • Frontend proxies (humanize-only, no detection)
- • Third-party integrations (read-only access)
- • Internal tools (lower rate limits)
- • Temporary access for contractors (auto-expiring)
Managing API Keys
Viewing Keys
The API Keys page shows all your keys with:
- Key name and masked key (last 4 characters visible)
- Created date and last used timestamp
- Environment (Production/Development)
- Usage stats (requests made, words processed)
- Status (Active, Revoked, Expired)
Rotating Keys
For security, rotate (replace) API keys every 90 days or when:
- Key may have been exposed (committed to git, shared accidentally)
- Team member with access leaves the company
- Suspicious activity detected on your account
- Compliance requirements mandate rotation
Rotation Process:
- Create new API key with same permissions
- Update your application to use new key
- Deploy and verify new key works
- Revoke old key after confirming switch is successful
- Monitor for any requests using old key (will fail)
Revoking Keys
Immediately disable a key if it's compromised:
- Go to API Keys page
- Click "⋯" menu next to the key
- Select "Revoke Key"
- Confirm revocation
Revoked keys cannot be reactivated - you must create a new key if needed.
Editing Key Settings
You can update certain key settings after creation:
Can Edit:
- ✓ Key name
- ✓ Rate limit (can only decrease)
- ✓ Permissions (can only restrict)
- ✓ Expiration date
Cannot Edit:
- ✗ Key value (create new key instead)
- ✗ Environment (Production ↔ Development)
- ✗ Workspace/project association
Security Best Practices
Use Environment Variables
Never hardcode API keys in your source code. Use environment variables or secrets managers:
Add .env to .gitignore
Ensure environment files are NEVER committed to version control. Add to .gitignore immediately.
Use Least Privilege
Create keys with minimum required permissions. If app only needs humanization, don't grant detection access.
Implement Rate Limiting
Set custom rate limits lower than your plan allows. This minimizes damage if a key is compromised.
Monitor Key Usage
Check the "Last Used" timestamp regularly. If a key shows activity you don't recognize, revoke it immediately.
Rotate Keys Regularly
Set a calendar reminder to rotate production keys every 90 days. Development keys can be rotated less frequently.
Never Use Keys Client-Side
API keys must NEVER be included in frontend JavaScript, mobile apps, or any client code. Always proxy through your backend.
Don't Share Keys Between Projects
Create separate API keys for each application/project. This makes it easier to track usage and revoke access if needed.
Don't Ignore Suspicious Activity
If you see unexpected spikes in usage or requests from unknown IPs, revoke the key immediately and investigate.
What to Do If Key Is Exposed
Immediate Actions (within 5 minutes):
- Revoke the exposed key - Go to API Keys page → Revoke immediately
- Create new key - Generate replacement with same permissions
- Update applications - Deploy new key to all affected apps
- Monitor usage - Check recent activity for unauthorized usage
Follow-Up Actions (within 24 hours):
- Remove from public source - Delete from GitHub history, edit forum posts
- Review usage logs - Check if exposed key was used by unauthorized parties
- Contact support - If you see suspicious activity, notify us immediately
- Update security practices - Review how the exposure happened and prevent future incidents
Preventing Future Exposures:
- Use git-secrets or similar tools to scan commits for secrets
- Enable GitHub secret scanning (auto-detects exposed credentials)
- Use .env files and ensure they're in .gitignore
- Educate team members on API key security
- Use pre-commit hooks to block files containing "truuly_live_" or "truuly_test_"
API Key Limits
Key Limits by Plan:
- • Free: No API access (upgrade to Pro for API keys)
- • Pro: Up to 5 API keys (3 production, 2 development)
- • Enterprise: Unlimited API keys
If you need more keys on Pro plan, contact sales to discuss Enterprise options.
Next Steps
API Integration
Security Resources
- • Security Best Practices Guide
- • Troubleshooting
- • Contact Support