TDCSites
Webhooks & API

Authentication

Generate, manage, and use your secret API key to authenticate REST API requests.

Every request to the REST API is authenticated with a personal Secret Key, sent as a Bearer token. This page explains how to find, use, rotate, and protect that key.

Manage keys from API & Webhooks in the dashboard sidebar (the API Key tab).

Accessing API & Webhooks requires a plan that includes the API & Webhooks feature. If it's locked, ask a workspace Owner to upgrade. See Feature Access.

Your Secret Key

Each user account has a single, always-available Secret Key — you don't need to generate one manually; it's created automatically.

Copying your key

Open the API Key tab under Webhooks & API. The key is hidden by default.
Click the eye icon to toggle visibility.
Click Copy to copy it to your clipboard.

Regenerating (rotating) your key

If a key is exposed or you simply want to rotate it:

Click Regenerate key in the top right.
Confirm in the modal: "Regenerate API key? Your current key will stop working immediately."
Click Yes, regenerate. The old key is invalidated instantly.

Regenerating immediately breaks any integration still using the old key. Update all services with the new key as soon as you rotate.

Key metadata & usage

Below the key field you can audit its activity:

  • Prefix — the leading characters, so you can identify the key without revealing it.
  • Generated — when the current key was created.
  • Last used — the timestamp and source IP of the most recent successful request (e.g. from 192.168.1.1).

Authenticating Requests

Send the key in the Authorization header as a Bearer token on every request:

Authorization: Bearer tdc_YOUR_API_KEY

Examples

# cURL
curl -H "Authorization: Bearer tdc_YOUR_API_KEY" \
  https://yourapp.com/api/v1/me
// Node.js (fetch)
const res = await fetch('https://yourapp.com/api/v1/me', {
  headers: { Authorization: 'Bearer tdc_YOUR_API_KEY' },
});
const result = await res.json();
if (result.ok) {
  const { data } = result;
  console.log('User profile:', data);
} else {
  console.error('Error:', result.error, result.message);
}

A missing or invalid key returns 401 UNAUTHORIZED. See error handling.

Security Best Practices

Your Secret Key carries the full access of your account. Treat it like a password.

  • Never expose it client-side. Keep it out of browser code, mobile apps, and any public repository.
  • Server-side only. Store it in server environment variables, not in source control.
  • Rotate on exposure. If a key may have leaked, Regenerate key immediately.
  • Scope by environment. Use separate workspaces (and keys) for testing and production where possible.
  • Mind the rate limit. Keys are capped at 1,000 requests/hour — see Rate Limits.

Next Steps

API Reference

Browse every endpoint with examples.

Webhooks

Receive real-time events instead of polling.

API Overview

The TDC Site Builder REST API — base URL, request and response formats, error handling, and rate limits.

API Reference

Every REST endpoint, grouped by resource, with request examples.

On this page

Your Secret KeyCopying your keyRegenerating (rotating) your keyKey metadata & usageAuthenticating RequestsExamplesSecurity Best PracticesNext Steps