x-api-key header. No OAuth, no sessions — just the key.
Sending the key
TIMELY_API_KEY and reference it via process.env (Node), os.environ (Python), or os.Getenv (Go). Never hardcode it.
Creating an API key
- Go to app.timelyai.com.br
- Navigate to Settings → API Keys → New key
- Give it a name that identifies its use (e.g.,
crm-integration,n8n-automations) - Select the required scopes (principle of least privilege)
- Copy the key — it is shown only once
Available scopes
Each API key has a set of scopes that define what it can do. Grant only what the service needs.Agents
Agents
Conversations and messages
Conversations and messages
Contacts
Contacts
Channels
Channels
Training
Training
Workspaces and team
Workspaces and team
Automation
Automation
Scheduling
Scheduling
Infrastructure
Infrastructure
Security best practices
Use one key per service. If a service is compromised, you revoke only its key without affecting everything else. Minimum scopes. A job that only reads conversations does not needagents:write. The smaller the scope, the smaller the blast radius of a leaked key.
Periodic rotation. Rotate keys every 90 days or whenever a team member who had access to the credentials leaves.
Monitor usage. Under Settings → API Keys, you can see the request volume per key. Unexpected spikes may indicate unauthorized use.
Rotating a key
1
Create the new key
Under Settings → API Keys → New key, create the replacement with the same scopes as the current key.
2
Update services
Update the environment variable in all services that use the old key. Deploy or restart the services.
3
Revoke the old key
After confirming that the services are operational with the new key, click Revoke on the old key. Revocation is immediate — any request with the old key will return
401.Common authentication errors
API keys are isolated by workspace. A key created in the “Support” workspace cannot access data from the “Sales” workspace.