API Keys

Local TattooAPI API key management is retired in WorkOS mode. Machine and agent credentials are created, rotated, and revoked in WorkOS API Keys. TattooAPI validates incoming X-API-Key values with WorkOS, then resolves the WorkOS API key ID to a TattooAPI actor mapping in Convex.

Retired Endpoints

GET /api-keys
POST /api-keys
GET /api-keys/{id}
PUT /api-keys/{id}
DELETE /api-keys/{id}

In WorkOS mode, these routes return 410 Gone before legacy local key storage is used.

Response

{
  "success": false,
  "error": {
    "message": "Local TattooAPI API key management is retired for WorkOS mode. Create and revoke machine credentials in WorkOS API Keys.",
    "code": "LOCAL_API_KEYS_RETIRED"
  },
  "meta": {
    "authProvider": "workos",
    "replacement": "WorkOS AuthKit API Keys",
    "timestamp": "2026-04-30T01:05:56.746Z"
  }
}

Current Machine Auth

Use WorkOS API Keys for server-to-server calls:

curl "$TATTOO_API_BASE_URL/search?q=tattoo" \
  -H "X-API-Key: $TATTOO_INTERNAL_WORKOS_API_KEY"

Security Boundary

Secret API key values live in WorkOS and local or deployed secret managers only.
Convex stores non-secret WorkOS IDs and TattooAPI actor mappings.
Valid WorkOS keys without a mapped TattooAPI actor return 403.
Public writes remain blocked.

Do not store WorkOS API key values in Convex, git, Mintlify, source-pack reports, or Mastra reports.

​API Keys

​Retired Endpoints

​Response

​Current Machine Auth

​Security Boundary

API Keys

Retired Endpoints

Response

Current Machine Auth

Security Boundary