Authentication
Tuned Tensor supports two authentication methods: API keys for programmatic access and session cookies for the dashboard.
API Keys
API keys are the recommended way to authenticate. Keys are prefixed with tt_ and sent in the Authorization header:
curl https://api.tunedtensor.com/v1/behavior-specs \
-H "Authorization: Bearer tt_your_api_key"Create an API Key
Create API keys in the dashboard: Settings → API Keys → Create API Key. The full key is only shown once at creation time — store it securely.
Revoke an API Key
curl -X DELETE https://api.tunedtensor.com/v1/api-keys/:id \
-H "Authorization: Bearer tt_your_api_key"Revoked keys stop working immediately.
List API Keys
curl https://api.tunedtensor.com/v1/api-keys \
-H "Authorization: Bearer tt_your_api_key"Returns all keys with key_prefix for identification. The full key is never returned after creation.
Session Authentication
The dashboard uses Supabase session cookies, set automatically on login. Session auth also works for API requests from browser JavaScript.
Response Format
All API responses follow a consistent envelope:
Success
{
"data": { ... },
"meta": { // only for paginated endpoints
"page": 1,
"per_page": 20,
"total": 42
}
}Error
{
"error": {
"code": "not_found",
"message": "Behaviour spec not found"
}
}Common Error Codes
| Status | Code | Meaning |
|---|---|---|
| 401 | unauthorized | Missing or invalid API key / session |
| 403 | forbidden | API key revoked |
| 404 | not_found | Resource not found or not owned by you |
| 400 | validation_error | Invalid request body |
| 500 | internal_error | Server error |