Authentication
Every request to Takumo needs an API key. Keys authenticate your tools and track usage per organization.Getting your first key
Sign in
Go to cloud.takumo.io and sign in to your account.
Create a key
Click Create Key. Give it a name that tells you where it’s used (
cursor-laptop, ci-pipeline, team-shared).Setting the key
.env file:
| Prefix | Environment |
|---|---|
tk_live_ | Production |
tk_test_ | Test / development |
Key scopes
Scopes control what an API key can do. Assign the minimum scopes needed.| Scope | What it controls |
|---|---|
shield:read | Read scan results and detection history |
shield:write | Run scans, tokenize, and rehydrate |
audit:read | Read audit log entries |
fleet:read | View gateway fleet status |
fleet:write | Register and manage gateways |
policy:read | Read policy configurations |
policy:write | Create and update policies |
org:read | Read organization settings |
org:write | Update organization settings, manage members |
Rotation
Create a new key. Update your tools to use the new key. Revoke the old one. No grace period needed if you switch atomically. For zero-downtime rotation:- Create a new key with the same scopes
- Deploy the new key to your tools
- Verify requests succeed with the new key
- Revoke the old key
Revocation
Revocation takes effect within seconds. A revoked key returns401 Unauthorized immediately. There is no undo.
To revoke a key: Settings > API Keys > click the key > Revoke.
Security
Keys are SHA-256 hashed before storage. Takumo never stores your key in plaintext. Constant-time comparison prevents timing attacks. The raw key exists only at creation time. After you close the creation dialog, the only copy is the one you saved.Plan limits
| Plan | Max API Keys |
|---|---|
| Free | 3 |
| Developer | 10 |
| Pro | 20 |
| Enterprise | Unlimited |
Next: Your First Request
Send code through Takumo and see what happens