Authentication
Tuned Tensor supports two authentication methods: API keys for programmatic access and session cookies for the dashboard.
Using the CLI
The tt CLI is the recommended way to authenticate. Store your key once and it is reused for every command:
tt auth login tt_your_api_key
tt auth status
tt auth logoutAPI key precedence
-k, --api-key <key>flag on the commandTUNED_TENSOR_API_KEYenvironment variable- Stored credentials from
tt auth login(~/.config/tuned-tensor/config.json, respectsXDG_CONFIG_HOME)
API Keys
API keys power both the CLI and direct REST access. Keys are prefixed with tt_ and sent in the Authorization header:
curl https://tunedtensor.com/api/v1/behavior-specs \
-H "Authorization: Bearer tt_your_api_key"Create an API Key
Create API keys in the dashboard: Settings → API Keys → Create API Key. The full key is only shown once at creation time — store it securely.
Revoke an API Key
curl -X DELETE https://tunedtensor.com/api/v1/api-keys/:id \
-H "Authorization: Bearer tt_your_api_key"Revoked keys stop working immediately.
List API Keys
curl https://tunedtensor.com/api/v1/api-keys \
-H "Authorization: Bearer tt_your_api_key"Returns all keys with key_prefix for identification. The full key is never returned after creation.
Session Authentication
The dashboard uses Supabase session cookies, set automatically on login. Session auth also works for API requests from browser JavaScript.
Response Format
All API responses follow a consistent envelope:
Success
{
"data": { ... },
"meta": { // only for paginated endpoints
"page": 1,
"per_page": 20,
"total": 42
}
}Error
{
"error": {
"code": "not_found",
"message": "Behaviour spec not found"
}
}Common Error Codes
| Status | Code | Meaning |
|---|---|---|
| 401 | unauthorized | Missing or invalid API key / session |
| 403 | forbidden | API key revoked |
| 404 | not_found | Resource not found or not owned by you |
| 400 | validation_error | Invalid request body |
| 500 | internal_error | Server error |