Authentication
Authenticate requests to the Tapeto REST API with an API key or a session bearer token.
The Tapeto REST API (api.tapeto.dev, base path /api/v1) supports two authentication methods.
API keys (recommended for integrations)
Generate a key from your account (Settings → API Keys → Create). A key looks like tk_live_ followed by 40 hexadecimal characters.
curl https://api.tapeto.dev/api/v1/conversions \
-H "x-api-key: tk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Keys are shown once
The full key is only ever returned at creation time. Tapeto stores a bcrypt hash, not the key itself — if you lose it, revoke it and create a new one.
Key behavior:
- Keys can carry an optional expiration date (
expires_at); expired keys are rejected. - Each use updates
last_used_at, so you can spot unused or stale keys. - Manage keys with:
GET /api/v1/auth/api-keys— list your keys (only the prefix and metadata, never the full key)POST /api/v1/auth/api-keys— create a key ({ name, expires_at?, scopes? })DELETE /api/v1/auth/api-keys/:id— revoke a key
Bearer tokens (used by the web app)
The Tapeto web app authenticates with a JWT session token issued by InsForge, sent as a standard bearer token:
Authorization: Bearer <token>
This is the same mechanism the web app itself uses after you log in — most API integrations should use an API key instead, since it doesn’t expire on a session timeout.
Rate limits
Requests are limited per minute, based on your plan:
| Plan | Requests / minute |
|---|---|
| Free | 30 |
| Starter | 60 |
| Pro | 120 |
| Agency | 200 |
| Studio | 300 |
When you hit the limit, the API responds with 429 and these headers:
X-RateLimit-Limit
X-RateLimit-Remaining
X-RateLimit-Reset
Next step
Continue with the Endpoints reference for the conversions and webhooks API.