> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tallyforagents.com/llms.txt
> Use this file to discover all available pages before exploring further.

# API keys

> Create, rotate, and revoke keys.

API keys authenticate your server to Tally. They're scoped per account and split between **test** (`tly_test_…`) and **live** (`tly_live_…`) modes. Keep both prefixes in your env so you can swap modes by flipping a single variable.

## Creating a key

From the dashboard, **API keys → New key**. The plaintext is shown exactly once — store it in your secret manager immediately.

## Rotation

Tally supports a 24-hour rotation window: when you create a new key, the previous one keeps working for 24 hours so you can roll your fleet without dropped requests.

<Steps>
  <Step title="Generate the new key">
    Create a new API key from the dashboard. Copy the plaintext value.
  </Step>

  <Step title="Deploy with the new key">
    Update `TALLY_API_KEY` in your secret store and roll out.
  </Step>

  <Step title="Revoke the old one">
    Once every instance is on the new key, revoke the old key.
  </Step>
</Steps>

## Revocation

<Warning>
  Revocation is immediate and irreversible. Make sure no instance is still using the key before revoking.
</Warning>

## Scopes (roadmap)

Today, keys are full-access per account. Per-resource scopes (read-only, payment-only) are tracked on the roadmap. If you need them sooner, talk to us.

## Detecting leaked keys

If you accidentally commit a key, rotate it within minutes — Tally automatically scans public commits for leaked credentials and revokes them, but the safer path is to rotate yourself the moment you notice.

## Best practices

* Use environment variables, not hardcoded strings.
* Never ship a key in a client bundle. Tally's SDK is server-only.
* Separate test and live keys across staging and production environments — never mix.
