API keys authenticate your SDK, services, and read-only clients with TruLayer. Manage them under Settings → API keys.Documentation Index
Fetch the complete documentation index at: https://docs.trulayer.ai/llms.txt
Use this file to discover all available pages before exploring further.
List view
Columns:- Name — the label you gave the key at creation.
- Prefix — the first 8 characters of the key (e.g.
tl_prod_4f2a…). The plaintext secret is never shown after creation. - Scope —
fullorquery_only. - Created / Last used — timestamps; stale keys are candidates for rotation.
- Status —
activeorrevoked. Revoked keys remain visible for audit.
Scopes
When creating a key you pick one scope:- Full access — read + write across every TruLayer endpoint. Use for ingestion (SDK, backend services) and for anything that mutates traces, feedback, eval runs, or policies.
- Query only — read-only access to traces, evals, and metrics. Use for MCP servers, AI agents, and any read-only analytical client. Query-only keys cannot ingest traces or mutate any resource.
Creating a key
- Open Settings → API keys.
- Click New key.
- Give it a descriptive name (for example
agent-productionorci-ingest). - Choose a scope — Full access or Query only.
- Click Create. Copy the plaintext key immediately — it is not shown again.
Rotating a key
TruLayer supports overlapping validity — create a new key, deploy it, then revoke the old one:- New key with the same scope; name it with a version suffix (
agent-production-v2). - Roll the new key out via env vars; confirm traces are still ingesting (dashboard shows Last used timestamp updating).
- Revoke the old key from the list.
Revoking a key
Revoking is immediate and cannot be undone. Revoked keys remain in the list (marked Revoked) so you keep an audit trail of when each key was active. Requests authenticated with a revoked key return HTTP401 with error.code = "key_revoked".