Skip to main content

What are API keys?

API keys authenticate requests to the TryPost REST API and MCP server. Every API call and AI assistant connection requires a valid key. Keys are scoped to a single workspace — an API key can only access the workspace it was created in.

Creating an API key

Go to API Keys in the sidebar and click Create API Key.
FieldRequiredDescription
NameYesA label to identify the key (e.g., Production, CI/CD, MCP, Cursor)
ExpirationNoOptional expiration date. After this date, the key stops working
After creation, the full key is shown once. Copy it immediately.
TryPost stores a hash of your API key, not the key itself. If you lose it, you’ll need to create a new one.

Key format

tp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Keys start with tp_ followed by 48 random characters (51 characters total). The tp_ prefix makes it easy to identify TryPost keys in your codebase and avoid committing them accidentally (add tp_* to your .gitignore patterns).

Where to use your API key

The same key works for both the REST API and MCP server:

REST API

Pass the key as a Bearer token in the Authorization header: 
curl -X GET https://app.trypost.it/api/posts \
  -H "Authorization: Bearer tp_your_api_key"

MCP Server

Use the key in your AI assistant’s MCP configuration: 
{
  "mcpServers": {
    "trypost": {
      "type": "http",
      "url": "https://app.trypost.it/mcp/trypost",
      "headers": {
        "Authorization": "Bearer tp_your_api_key"
      }
    }
  }
}
See the Build with AI section for setup guides for each AI assistant.

Expiration

API keys can be created with or without an expiration date:
  • No expiration — The key remains active until you manually delete it
  • With expiration — The key automatically becomes inactive after the set date. Requests return a 401 error
Expired keys are not deleted — they stay visible so you can track usage history. You can delete them when ready.

Security best practices

1

Use separate keys per use case

Create different keys for different purposes: Production API, Cursor MCP, CI/CD Pipeline. If one is compromised, you only need to rotate one.
2

Set expiration for temporary access

If you’re sharing a key with a contractor or external tool, set an expiration date.
3

Never commit keys to source control

Store keys in environment variables, .env files (not committed), or secret managers. Never hardcode them.
4

Rotate keys periodically

Create a new key, update your integrations, verify the old key’s Last used timestamp shows no recent activity, then delete it.

Deleting an API key

You can delete an API key at any time from the dashboard or via the API. Deletion is immediate and irreversible — any application or AI assistant using the key will immediately start receiving 401 errors. Check the Last used column before deleting to make sure the key isn’t actively in use.

FAQ

There’s no limit. Create as many as you need.
No. The full key is only shown once. TryPost stores a secure hash, not the original key.
Yes. One key authenticates both REST API requests and MCP connections. They’re the same authentication mechanism.
The API returns a 401 Unauthorized error. Create a new key to restore access.
No. Keys are scoped to the workspace where they were created. Create a separate key for each workspace.
Yes. API requests are throttled to prevent abuse. If you exceed the limit, you’ll receive a 429 status code.