Skip to main content
The DevTune API uses API keys for authentication. Each key is scoped to a single project and must be included in the Authorization header of every request. Keys can either:
  • keep the default all scopes access for that project
  • or be narrowed to specific endpoint scopes such as visibility.read, actions.read, intelligence.read, webhooks.read, and webhooks.write

Creating an API Key

  1. Navigate to your team account
  2. Open API Keys in the account sidebar
  3. Click Create API Key
  4. Enter a name for the key (e.g., “CI/CD Pipeline” or “BI Dashboard”)
  5. Select the project the key should access
  6. Click Create API Key
After creation, the full key is displayed once. Copy it immediately and store it securely. You will not be able to view the full key again.

Key Format

API keys follow this format: 
dtk_live_<64 hex characters>
For example: dtk_live_a1b2c3d4e5f6... Only the first few characters (dtk_live_a1b2...) are stored as a prefix for identification in the dashboard.

Using Your API Key

Include the key in the Authorization header with the Bearer prefix: 
curl -H "Authorization: Bearer dtk_live_your_key_here" \
  "https://devtune.ai/api/v2/projects/YOUR_PROJECT_ID/visibility/summary"

Example with JavaScript

const response = await fetch(
  'https://devtune.ai/api/v2/projects/YOUR_PROJECT_ID/visibility/summary',
  {
    headers: {
      Authorization: 'Bearer dtk_live_your_key_here',
    },
  },
);

const { data, meta } = await response.json();

Example with Python

import requests

response = requests.get(
    "https://devtune.ai/api/v2/projects/YOUR_PROJECT_ID/visibility/summary",
    headers={"Authorization": "Bearer dtk_live_your_key_here"}
)

result = response.json()
print(result["data"])

Key Security

  • Keys are hashed with SHA-256 before storage. DevTune never stores the raw key.
  • Each key is scoped to exactly one project. It cannot access data from other projects.
  • Keys with no explicit scope restrictions retain full access to that project. Scoped keys can only call endpoints and MCP tools covered by their configured scopes.
  • Requests with an invalid, expired, or revoked key receive a generic 401 Unauthorized response.
  • Requests with a valid key that lacks the required endpoint or MCP tool scope receive 403 Forbidden, so permission errors stay distinct from authentication failures.

CORS Support

The API supports Cross-Origin Resource Sharing (CORS) for browser-based integrations. Requests from any origin are accepted when a valid API key is provided.

Revoking a Key

To revoke an API key:
  1. Go to API Keys in the account sidebar
  2. Find the key in the list
  3. Click the revoke button (trash icon)
  4. Confirm the revocation
Revoked keys stop working immediately. This action cannot be undone.

Who Can Manage API Keys

Only team members with the settings.manage permission can create or revoke API keys.