API ReferenceAuthentication

Authentication

The Tewdy API uses API keys for programmatic access. API keys are scoped, rotatable, and support IP whitelisting for production security.

Creating an API Key

  1. Log in to your Tewdy account
  2. Navigate to Settings > Developer > API Keys
  3. Click Create API Key
  4. Choose a name, scopes, and expiration
  5. Copy the key immediately — it won’t be shown again

Key Format

All Tewdy API keys start with the tewdy_ prefix, followed by 64 hex characters:

tewdy_a1b2c3d4e5f6...

This prefix makes keys identifiable by secret scanners (e.g., GitHub, GitGuardian).

Using Your API Key

Pass your API key in the X-API-Key header:

curl https://api.tewdy.com/api/v1/tasks \
  -H "X-API-Key: tewdy_your_api_key_here"

JavaScript

const response = await fetch('https://api.tewdy.com/api/v1/tasks', {
  headers: {
    'X-API-Key': 'tewdy_your_api_key_here',
    'Content-Type': 'application/json',
  },
});
 
const tasks = await response.json();

Python

import requests
 
response = requests.get(
    'https://api.tewdy.com/api/v1/tasks',
    headers={'X-API-Key': 'tewdy_your_api_key_here'}
)
 
tasks = response.json()

Scopes

API keys are scoped to limit their permissions. Choose only the scopes your integration needs.

ScopeDescription
tasks:readRead tasks, list tasks, view task details
tasks:writeCreate tasks, delete tasks
profile:readRead user profile information

When a request requires a scope your key doesn’t have, the API returns a 403 error with code SCOPE_INSUFFICIENT.

IP Whitelisting

For production keys, you can restrict access to specific IP addresses or CIDR ranges. Requests from non-whitelisted IPs will be rejected with a 401 error.

Configure IP whitelisting when creating or updating your API key in the dashboard.

Key Rotation

To rotate a key without downtime:

  1. Go to Settings > Developer > API Keys
  2. Click the regenerate button on the key you want to rotate
  3. The old key is immediately revoked and a new key is generated
  4. Update your integration with the new key

Alternatively, create a new key first, update your integration, then revoke the old key for zero-downtime rotation.

Security Best Practices

  • Never commit API keys to source control. Use environment variables or a secrets manager.
  • Use the narrowest scopes possible. Only grant tasks:write if your integration creates or deletes tasks.
  • Set an expiration. Keys that expire reduce the impact of a leak.
  • Enable IP whitelisting for production server integrations.
  • Rotate keys regularly. If you suspect a key has been compromised, regenerate it immediately.
  • Monitor usage. Check the “Last Used” column in your dashboard to spot unexpected activity.

Limits

  • Maximum of 10 active API keys per user account
  • Key creation is rate-limited to 20 requests per minute
  • Lost keys cannot be recovered — you must regenerate a new one
OverviewTasks