Authentication
Tensoras.ai has two layers of authentication: Console Authentication for signing in to the web dashboard, and API Authentication for programmatic access. This page covers both.
Console Authentication
Console authentication controls access to the Tensoras Console — the web dashboard where you manage models, knowledge bases, API keys, billing, and team settings. The following sign-in methods are available.
Email & Password
Create an account with your name, email address, and a password.
- Password requirements: minimum 8 characters.
- After signing up, you will receive a verification email. Click the link to activate your account before signing in.
- Forgot password: On the sign-in page, click Forgot password? to receive a password reset link via email. The link expires after 1 hour.
Google OAuth
Click Sign in with Google on the sign-in page to authenticate using your Google account. If you do not already have a Tensoras account, one will be created automatically using your Google profile information.
GitHub OAuth
Click Sign in with GitHub on the sign-in page to authenticate using your GitHub account. A Tensoras account will be created on first sign-in if one does not already exist.
Magic Links
For passwordless sign-in, enter your email address and click Send magic link. You will receive an email containing a one-time sign-in link. Click the link to authenticate without entering a password. Magic links expire after 15 minutes.
SAML SSO
Enterprise organizations can configure SAML 2.0 Single Sign-On so that team members authenticate through your company’s identity provider (Okta, Azure AD, Google Workspace, etc.). SSO is configured per-organization and is available on Enterprise plans.
See the SSO Setup Guide for detailed configuration instructions.
API Authentication
Every request to the Tensoras.ai API must include a valid API key. The rest of this page covers how to create keys, pass them in requests, manage scopes, and stay within rate limits.
API Key Format
Tensoras API keys use the prefix tns_ followed by a random alphanumeric string:
tns_a1b2c3d4e5f6g7h8i9j0...If a key does not start with tns_, it is not a valid Tensoras key.
Passing Your API Key
Include your key in the Authorization header as a Bearer token:
Authorization: Bearer tns_your_key_herecurl
curl https://api.tensoras.ai/v1/chat/completions \
-H "Authorization: Bearer $TENSORAS_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"model": "llama-3.3-70b",
"messages": [{"role": "user", "content": "Hello!"}]
}'Python SDK
from tensoras import Tensoras
# Option 1: Pass explicitly
client = Tensoras(api_key="tns_your_key_here")
# Option 2: Set the TENSORAS_API_KEY environment variable (recommended)
client = Tensoras() # automatically reads TENSORAS_API_KEY from envNode.js SDK
import Tensoras from "tensoras";
// Option 1: Pass explicitly
const client = new Tensoras({ apiKey: "tns_your_key_here" });
// Option 2: Set the TENSORAS_API_KEY environment variable (recommended)
const client = new Tensoras(); // automatically reads TENSORAS_API_KEY from envOpenAI SDK (compatible)
Because Tensoras implements the OpenAI API spec, you can use the official OpenAI SDKs by overriding the base URL:
from openai import OpenAI
client = OpenAI(
api_key="tns_your_key_here",
base_url="https://api.tensoras.ai/v1",
)Key Scopes
When creating an API key, you can restrict its permissions to a specific scope. This follows the principle of least privilege — give each key only the access it needs.
| Scope | Permissions |
|---|---|
all | Full access to every endpoint (default) |
inference | Chat completions, completions, embeddings, reranking, and model listing |
rag | Retrieval queries against existing Knowledge Bases |
knowledge_bases | Create, update, and delete Knowledge Bases and data sources; manage ingestion jobs |
A key with the inference scope cannot create Knowledge Bases. A key with the rag scope can query Knowledge Bases but cannot run standalone chat completions without a Knowledge Base attached. Use all for development and narrower scopes for production services.
Key Management
Manage your API keys in the Tensoras Console:
- Create a key — go to Console > API Keys > Create Key. Choose a name, select a scope, and copy the key. You will only see the full key once.
- Revoke a key — click the key’s menu and select Revoke. The key stops working immediately. Revocation cannot be undone.
- View usage — each key shows request counts, token usage, and last-used timestamp so you can audit which keys are active.
Rate Limits
Rate limits are applied per API key and depend on your plan tier. Limits are measured in requests per minute (RPM).
| Plan | Rate Limit | Token Limit | Knowledge Bases |
|---|---|---|---|
| Free | 30 RPM | 100K tokens/min | 1 |
| Developer | 600 RPM | 2M tokens/min | 10 |
| Pro | 3,000 RPM | 10M tokens/min | 50 |
| Enterprise | 10,000 RPM | Custom | Unlimited |
When you exceed your rate limit, the API returns a 429 Too Many Requests response with the following headers:
| Header | Description |
|---|---|
X-RateLimit-Limit | Your RPM cap for this key |
X-RateLimit-Remaining | Requests remaining in the current window |
X-RateLimit-Reset | Unix timestamp when the window resets |
Retry-After | Seconds to wait before retrying |
Both the Python and Node.js SDKs handle 429 responses automatically with exponential backoff. If you are using curl or a custom HTTP client, check for 429 status codes and respect the Retry-After header.
See the Rate Limits guide for strategies on handling limits in production.
Security Best Practices
Use environment variables
Never hard-code API keys in source code. Store them in environment variables or a secrets manager:
# .env file (add .env to your .gitignore)
TENSORAS_API_KEY=tns_your_key_hereimport os
from tensoras import Tensoras
client = Tensoras(api_key=os.environ["TENSORAS_API_KEY"])Never commit keys to version control
Add .env and any files containing keys to your .gitignore. If a key is accidentally committed, revoke it immediately and create a new one.
# .gitignore
.env
.env.local
.env.*.localUse scoped keys in production
Create separate keys for each service with the narrowest scope required. An inference-only microservice should use an inference-scoped key, not an all-scoped key.
Rotate keys regularly
Rotate API keys on a regular cadence (e.g., every 90 days). Create a new key, update your services, verify they work, then revoke the old key.
Restrict server-side usage
API keys should only be used in server-side code. Never expose a Tensoras API key in client-side JavaScript, mobile app bundles, or public repositories.
Error Responses
Authentication errors return standard HTTP status codes:
| Status | Meaning | Common Cause |
|---|---|---|
401 Unauthorized | Missing or invalid API key | Key is missing, malformed, or revoked |
403 Forbidden | Key does not have the required scope | Using an inference key to create a Knowledge Base |
429 Too Many Requests | Rate limit exceeded | Too many requests in the current minute window |
{
"error": {
"message": "Invalid API key. Please check your key and try again.",
"type": "authentication_error",
"code": "invalid_api_key"
}
}Next Steps
- Quickstart — make your first API call
- Rate Limits guide — strategies for handling rate limits
- API Reference — full endpoint documentation
- SDKs — Python and Node.js client libraries