Skip to main content
Authentication with the Timely.ai API is done via an API key sent on every request in the x-api-key header. No OAuth, no sessions — just the key.

Sending the key

For environment variables, always store the key as TIMELY_API_KEY and reference it via process.env (Node), os.environ (Python), or os.Getenv (Go). Never hardcode it.

Creating an API key

  1. Go to app.timelyai.com.br
  2. Navigate to Settings → API Keys → New key
  3. Give it a name that identifies its use (e.g., crm-integration, n8n-automations)
  4. Select the required scopes (principle of least privilege)
  5. Copy the key — it is shown only once
If you lose the key, it cannot be recovered. You will need to revoke it and create a new one. Plan the rollout before revoking keys in production.

Available scopes

Each API key has a set of scopes that define what it can do. Grant only what the service needs.

Security best practices

Use one key per service. If a service is compromised, you revoke only its key without affecting everything else. Minimum scopes. A job that only reads conversations does not need agents:write. The smaller the scope, the smaller the blast radius of a leaked key. Periodic rotation. Rotate keys every 90 days or whenever a team member who had access to the credentials leaves. Monitor usage. Under Settings → API Keys, you can see the request volume per key. Unexpected spikes may indicate unauthorized use.

Rotating a key

1

Create the new key

Under Settings → API Keys → New key, create the replacement with the same scopes as the current key.
2

Update services

Update the environment variable in all services that use the old key. Deploy or restart the services.
3

Revoke the old key

After confirming that the services are operational with the new key, click Revoke on the old key. Revocation is immediate — any request with the old key will return 401.

Common authentication errors

API keys are isolated by workspace. A key created in the “Support” workspace cannot access data from the “Sales” workspace.