Docsv1.0
Docs/Getting Started/Authentication

Authentication

Create and manage API tokens for the Event Hook API.

All requests to the Event Hook API require a valid API token. Tokens are scoped to your creator profile and grant read-only access to your tip event stream.

Creating a Token

  1. Go to Settings → API Tokens in your Tizemint dashboard.
  2. Click Create Token and give it a descriptive name (e.g., "n8n production", "hue lights").
  3. Copy the token immediately.
Danger
The plaintext token is shown exactly once. Tizemint stores a SHA-256 hash — if you lose the token, revoke it and create a new one.

Token Format

Tokens use a tzmnt_ prefix followed by 64 hex characters (32 random bytes):

tzmnt_a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef12345678

The first 14 characters (tzmnt_a1b2c3d4) serve as a non-secret prefix used for fast lookup. The full token is verified via timing-safe SHA-256 comparison.

Auth Methods

You can authenticate using either method. Both are equivalent.

Query Parameter

GET /api/tip-events/stream?token=tzmnt_abc123...

Best for: EventSource in browsers (which does not support custom headers), quick testing with curl.

Authorization Header

GET /api/tip-events/stream
Authorization: Bearer tzmnt_abc123...

Best for: server-side clients, n8n HTTP nodes, any context where you can set headers.

Token Expiry

Tokens can optionally have an expiry date set at creation time. When a token expires:

  • New SSE connections are rejected with .
  • An active SSE connection is not terminated mid-stream. The token is only checked at connection time.
Tip
For long-running automations, create tokens without an expiry. For temporary integrations or testing, set a short expiry.

Revoking a Token

Open Settings → API Tokens, find the token by name, and delete it. Revocation is immediate — any new connection attempt with that token will be rejected.

Active SSE connections using a revoked token continue until the stream ends naturally (Vercel function timeout or client disconnect).

Security Best Practices

  • One token per integration. If an integration is compromised, revoke only that token.
  • Never commit tokens to source control. Use environment variables or a secrets manager.
  • Use the header method when your client supports it — query parameters may appear in server logs and browser history.
  • Rotate tokens periodically for production integrations.
  • Set expiry dates for tokens used in testing or temporary setups.