Tixallo
Authentication

Authenticating API requests

The Tixallo API uses Bearer tokens. Each key is scoped to a single workspace and grants access to that workspace's tickets, customers and conversations.

How keys work

Every API key is bound to one Tixallo workspace. Requests carry the key in the Authorization header using the Bearer scheme. There are no per-user OAuth flows in v1 — keys represent the workspace itself.

Authorization: Bearer YOUR_API_KEY

Keys are created and revoked from inside the Tixallo app. The full key value is shown only at creation time. Tixallo stores a one-way hash, so a forgotten key cannot be recovered — generate a new one instead.

Treat keys like passwords

  • Never embed an API key in client-side or browser code.
  • Never commit keys to source control, even in private repos.
  • Store keys in environment variables or a secrets manager.
  • Use a separate key per environment (dev, staging, production).
  • Rotate immediately if a key is exposed in a log, screenshot, chat message, or third-party tool.

Rotating a key

To rotate, create a new key in the app first, deploy it to your workloads, then revoke the old one. Tixallo allows multiple active keys per workspace specifically so rotation can happen without downtime.

Example — curl

curl https://tixallo.com/api/v1/tickets \
  -H "Authorization: Bearer $TIXALLO_API_KEY" \
  -H "Content-Type: application/json"

Reading the key from $TIXALLO_API_KEY keeps it out of your shell history and any captured terminal output.

Example — Node.js

// Node 18+ has fetch built-in. No SDK required.
const apiKey = process.env.TIXALLO_API_KEY;
if (!apiKey) throw new Error("TIXALLO_API_KEY is not set");

const res = await fetch("https://tixallo.com/api/v1/tickets", {
  method: "GET",
  headers: {
    Authorization: `Bearer ${apiKey}`,
    "Content-Type": "application/json",
  },
});

if (!res.ok) {
  throw new Error(`Tixallo API error: ${res.status}`);
}

const { data } = await res.json();
console.log(`Fetched ${data.length} tickets`);

Example — Python

import os
import requests

api_key = os.environ["TIXALLO_API_KEY"]

resp = requests.get(
    "https://tixallo.com/api/v1/tickets",
    headers={
        "Authorization": f"Bearer {api_key}",
        "Content-Type": "application/json",
    },
    timeout=10,
)
resp.raise_for_status()

payload = resp.json()
print(f"Fetched {len(payload['data'])} tickets")

What an unauthenticated request looks like

Missing, malformed or revoked keys return HTTP 401with a small JSON body. Don't parse the message text for logic — rely on the status code.

{
  "error": "Unauthorized"
}