How to Create and Manage API Keys

OpenTweet API keys authenticate all programmatic access — both the REST API and the MCP server. Keys use the ot_ prefix and are created in Settings. Each integration should use its own key so access can be revoked selectively.

How do I create an API key?

Go to Settings → API Keys and click 'Create API Key'. Enter a descriptive name for the key (e.g., 'Zapier Integration', 'MCP Server', 'My Automation Script'). The generated key starts with ot_ and is shown once in full immediately after creation. Copy it and store it securely in your application's environment variables — it won't be shown in full again.

How many API keys can I create?

API key limits by plan: Pro allows up to 3 keys, Advanced allows up to 10, and Agency allows up to 25. Creating separate keys per integration is a best practice — if one key is compromised, you can revoke just that key without disrupting other integrations. If you need more keys than your plan allows, upgrade to a higher tier.

How do I revoke a key?

Go to Settings → API Keys and click 'Delete' on the key you want to revoke. The key stops working immediately — any applications using that key will start receiving 401 Unauthorized errors. Create a new key and update the affected integrations if you need to restore access.

What are the security best practices?

Best practices for API key security: store keys in environment variables (never hardcode them), never expose keys in client-side JavaScript or public repos, use one key per integration for granular revocation control, rotate keys periodically, and never share keys in chat or email. If you believe a key has been compromised, delete it immediately and create a replacement.