API Keys
API keys give external applications and scripts programmatic access to your TinyCommand workspace. Use them to read/write table data, trigger workflows, access form submissions, and integrate with your own tools.
Generating an API key
- Go to Settings → API Keys (or click your avatar → API Keys)
- Click + Generate New Key
- Configure:
| Field | Description |
|---|---|
| Name | A descriptive label (e.g., "Production Server", "CI/CD Pipeline", "Partner Integration") |
| Scope | Which products the key can access (see scopes below) |
| Permissions | Read-only or Read/Write |
| Expiry | Never, 30 days, 90 days, or 1 year |
- Click Generate
- Copy the key immediately: it's shown only once
Key scopes
| Scope | Access |
|---|---|
| Full workspace | All products: tables, workflows, forms, agents, emails |
| Tables only | Read/write table data, columns, views |
| Workflows only | Trigger workflows, read execution history |
| Forms only | Read form submissions, manage forms |
| Agents only | Interact with agent conversations |
Using your API key
Include the API key in the Authorization header:
curl -H "Authorization: Bearer YOUR_API_KEY" \
https://api.tinycommand.com/v1/tables
Or as a query parameter (not recommended for production):
https://api.tinycommand.com/v1/tables?api_key=YOUR_API_KEY
Common API endpoints
| Endpoint | Method | Description |
|---|---|---|
/v1/tables | GET | List all tables |
/v1/tables/:id/rows | GET | Get rows from a table |
/v1/tables/:id/rows | POST | Create a new row |
/v1/tables/:id/rows/:rowId | PATCH | Update a row |
/v1/tables/:id/rows/:rowId | DELETE | Delete a row |
/v1/workflows/:id/trigger | POST | Trigger a workflow |
/v1/forms/:id/submissions | GET | Get form submissions |
Managing existing keys
In the API Keys section, each key shows:
| Column | Description |
|---|---|
| Name | Your label |
| Key prefix | First 8 characters of the key (for identification) |
| Scope | What the key can access |
| Created | When the key was generated |
| Last used | Last time the key was used for an API call |
| Expires | When the key expires (or "Never") |
Actions
| Action | Description |
|---|---|
| Regenerate | Creates a new key with the same settings. The old key stops working immediately. |
| Revoke | Permanently deletes the key. Cannot be undone. |
| Edit | Change the name, scope, or permissions (the key string itself doesn't change) |
Best practices
| Practice | Why |
|---|---|
| Use descriptive names | "Production Backend - Tables R/W" is better than "API Key 1" |
| Scope narrowly | Don't use a Full workspace key when you only need Tables access |
| Set expiry dates | Keys that never expire are a security risk. Set 90-day rotation. |
| Use read-only when possible | If a service only reads data, give it a read-only key |
| Rotate regularly | Regenerate keys periodically, especially for production systems |
| Never commit to git | Use environment variables: TINYCOMMAND_API_KEY=your_key |
API keys grant direct access to your workspace data. Treat them like passwords: never share them in Slack, email, or code repositories. If a key is compromised, revoke it immediately and generate a new one.
API rate limits apply: 100 requests per minute per key on the free plan, 1,000 per minute on paid plans. If you hit rate limits, add delays between requests or contact support for higher limits.