Skip to main content
An API key is a secret bearer token that lets a script, integration, or service call the Terminus Hub API as your account, without a personal login. A key is shown to you only once, when it is created. After that only its name and usage metadata are visible, never the secret again.
Use an API key when you want to reach Terminus Hub programmatically: reading records, submitting data, or listing workspaces and governance models. Each request carries the key, and Terminus Hub checks it against your account’s keys on every call. For the full request format and error responses, see API authentication.

What a key looks like

Every key starts with the prefix thub_ followed by random characters: 
thub_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The thub_ prefix makes Terminus Hub keys easy to recognize in code, logs, and secret scanners, so an accidental leak can be flagged automatically.

How a key authenticates a request

Send the key in the Authorization header as a bearer token on every API request: 
Authorization: Bearer thub_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
For example, listing records: 
curl https://<your-hub-host>/api/v1/records \
  -H "Authorization: Bearer thub_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
A request with no Authorization header, or with a key that has been deleted or is otherwise invalid, gets a 401 authentication error. Terminus Hub records the time of each successful authentication as the key’s last-used timestamp, so you can tell which keys are active. Cookie-based session auth is what the Terminus Hub web app uses for people signed in through a browser. Integrations use an API key instead. See API authentication for both schemes side by side.

How keys are scoped

A key is scoped to a single account, and to that account only. There are no per-key scopes, roles, or permissions, and no expiry date. A key can do anything the API exposes for its account.
Because the only boundary is the account, a key cannot read or change another account’s data. Two practical limits follow from this design:
  • The same access for every key. You cannot give one key read-only access and another key write access. Any key has the full API surface available to its account.
  • No expiry. A key stays valid until it is deleted. To rotate, create a new key, switch your integration over to it, then delete the old one.
The API surface that keys can reach is the integrator-facing set of resources (such as governance models, workspaces, records, and submissions). Account administration screens (members, billing, the keys themselves) are not reachable with an API key. See API authentication for the resources a key can call.

Provisioning a key today

There is currently no screen in the Terminus Hub app to create, list, or delete API keys. Do not look for an “API keys” page in settings: it does not exist yet. Keys are provisioned through the API itself (using a signed-in session) or by your administrator on your behalf.
What this means in practice:
  • Creating a key returns the secret value exactly once, in that response. Copy it immediately into a secrets manager or environment variable. It cannot be retrieved afterward, because Terminus Hub stores only a one-way hash of it, never the raw token.
  • Listing keys shows only each key’s name, when it was created, and when it was last used. The secret is never returned again, so identify a key by its name.
  • Deleting a key is how you revoke it. There is no disable switch: removing the key stops it from authenticating immediately, and any service still using it starts getting 401 errors.
  • Only account owners and admins can manage keys.
If you need a key and cannot create one yourself, ask an account owner or admin to provision one for you.

Keeping a key safe

A key carries account-level access, so treat it like a password.

Store it outside source code

Keep keys in environment variables or a secrets manager, never hardcoded in code or committed to a repository.

Rotate by replacing

To rotate, create a new key, deploy it everywhere, then delete the old one. Do this after offboarding someone or if you suspect a leak.

One key per integration

Give each integration or environment its own key, so the last-used timestamp tells you which one is active and you can revoke one without breaking the rest.

Revoke on exposure

If a key may have leaked, delete it right away and issue a replacement. Deletion takes effect immediately.

Gotchas

  • No keys UI exists yet. Despite occasional in-app prompts about programmatic access, there is no page to manage keys. Provision them via the API or your administrator.
  • Shown once. The raw key appears only at creation. If you lose it, you cannot recover it; delete that key and make a new one.
  • No scopes, no expiry. Every key has the same account-wide reach and never expires on its own. Control access by limiting who holds keys and deleting unused ones.
  • Delete is the only revoke. There is no pause or disable. Deleting a key revokes it instantly.

API authentication

The bearer-token header, session auth, and error responses in detail.

API overview

What the Terminus Hub API offers and how requests are shaped.

Pagination and errors

Response envelopes, paging, and the structured error format.

Team members

Who can manage the account, including provisioning keys.