Universal Key

Your Universal Key is an OpenAI-shaped bearer token that authenticates every call to /v1/chat/completions. Format:

thk_live_{32 random chars}

The thk_live_ prefix is a tag for debugging tools and log scanners. The rest is the secret.

Getting one

You get exactly one active key automatically on first sign-in. Visible once on the dashboard; hash-only after that.

If you didn't save it

Open the Universal Key card on the dashboard and click Rotate. The old key is revoked, a new one appears for one-time reveal, and every existing integration will 401 until repointed. Plan the rotation for a quiet moment.

How it's stored

• Plaintext: never. Not in the DB, not in logs, not in Vercel env. A 32-char key + salted SHA-256 hash lives in user_api_keys; the salt makes rainbow-table lookups useless.
• In transit: only over HTTPS. Plaintext Authorization headers fail at the CF Worker edge before ever reaching the origin.
• In our logs: we mask to thk_live_…………{last4} everywhere.

If you leak it

Rotate immediately. A leaked key is metered against your balance. We auto-rate-limit bursts above 30 req/s/IP across all unauthenticated and authenticated traffic, so there's a natural damage ceiling of a few dollars, but the cost is yours.

Programmatic management

Management endpoints will ship later this quarter (POST /v1/keys/rotate, etc.). For now the dashboard is the UI.

Multiple keys?

Not yet. One user, one active key. We're evaluating named keys + per- key rate limits for Series A customers with multiple deployments.