Skip to main content
ToughTongue AI uses Bearer tokens for API authentication.

Get Your Token

  1. Go to Developer Portal
  2. Click Create API Key
  3. Copy immediately—won’t be shown again

Use Your Token

curl https://api.toughtongueai.com/api/public/scenarios \
  -H "Authorization: Bearer YOUR_API_TOKEN"

Test Your Token

curl -X POST https://api.toughtongueai.com/api/public/test \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -d '{"message": "test"}'

Security Rules

❌ Never Do This

// Client-side — EXPOSED TO USERS
const API_TOKEN = "sk_live_abc123";
fetch("https://api.toughtongueai.com/...", {
  headers: { Authorization: `Bearer ${API_TOKEN}` },
});

✅ Do This Instead

// Frontend: Call your backend
fetch("/api/analyze", {
  method: "POST",
  body: JSON.stringify({ session_id }),
});

// Backend: Use token securely
app.post("/api/analyze", async (req, res) => {
  const response = await fetch("https://api.toughtongueai.com/...", {
    headers: { Authorization: `Bearer ${process.env.TTAI_TOKEN}` },
  });
  res.json(await response.json());
});

Environment Variables

# .env
TTAI_TOKEN=your_token_here

const apiToken = process.env.TTAI_TOKEN;
Add to .gitignore: 
.env
.env.local

Organization Context

Scope API calls to an organization: 
fetch("https://api.toughtongueai.com/api/public/scenarios", {
  headers: {
    Authorization: "Bearer YOUR_TOKEN",
    "X-Organization-ID": "org_123",
  },
});

Checklist

  • Store tokens in environment variables
  • Proxy API calls through backend
  • Use HTTPS for all requests
  • Rotate tokens periodically
  • Delete unused tokens
  • Monitor API usage