API authentication
Tiden has three credential types that are easy to confuse. They serve different purposes.
Web sessions
Web sessions are created by login. The browser receives a short-lived JWT access token and a refresh token cookie. Web sessions can call the full web API surface for the signed-in user.
Use web sessions for interactive app usage, not for scripts or CI.
API tokens
API tokens are long-lived bearer tokens for automation. They start with tfy_
and are shown once when created.
Use API tokens for:
- CLI.
- CI release creation.
- Source map upload.
- MCP server.
- Custom API clients.
Send the token as:
Authorization: Bearer <token>
API tokens can call the api.public.v1 surface only. They cannot manage other
API tokens, organization members, billing, credentials, or other web-only admin
operations.
DSN keys
DSN keys are product-scoped public ingest credentials for error tracking. They are embedded in runtime applications and can only send events to the product ingest endpoint.
A DSN key is not an API token. It cannot call the REST API.
Choosing the right credential
| Job | Credential |
|---|---|
| Use the web app | Web session |
Run tiden locally | API token created by tiden setup |
| Create releases from CI | API token |
| Upload source maps from CI | API token |
| Send runtime exceptions | DSN key |
| Manage organization members | Web session |
| Manage billing | Web session |
| Manage workspace credentials | Web session |
Token storage
Store API tokens in:
~/.tiden/config.jsonfor local CLI use.- CI secret stores for build automation.
- Secret managers for custom services.
Do not commit API tokens or DSNs to source control. DSNs are less privileged, but they still identify your product's ingest stream and should be treated as configuration, not public documentation.