Skip to main content
API keys are currently available on the web only. Open app.mytruv.com/settings/api-keys on a desktop browser to manage them.
API keys give external tools - AI assistants, scripts, spreadsheets, automations - read-only access to the same data you can see in MyTruv. The key authenticates the tool on your behalf so it can pull your accounts, transactions, and other read-only data through the MyTruv API.

Creating a key

  1. Open Settings → API keys in the web app.
  2. Click Create API key.
  3. Give the key a recognisable name (for example, “Spreadsheet sync” or “ChatGPT”).
  4. The key is shown in full only once in a copy dialog. Copy it now and store it somewhere safe.
MyTruv never stores the plaintext key. If you lose it, you’ll need to rotate the key (which gives you a new value and invalidates the old one immediately). There’s no way to view a key again after the create dialog closes.

What you’ll see in the list

For each key, the API keys page shows:
  • The name you gave it
  • When it was created
  • When it was last used
The key value itself is never shown again - only the name, dates, and per-key actions.

Using a key

API keys authenticate as a bearer token. Include them in the Authorization header on each request: 
curl -H "Authorization: Bearer $API_KEY" https://api.mytruv.com/v1/user
The key has read-only access to your account - it can fetch data but cannot make changes, move money, or take any action on your behalf.

Rotating a key

If you suspect a key has been exposed (committed to a public repo, shared in a chat, etc.), rotate it. Rotation generates a new value and invalidates the old one immediately.
  1. On the API keys page, find the key and click Rotate.
  2. Copy the new value from the dialog (again, shown only once).
  3. Update the value in whatever tool was using the old one.

Deleting a key

If you no longer need a key, click Delete to revoke it. The key stops working immediately, and any integration using it will start receiving authentication errors.

Limits

  • You can have up to 5 API keys at a time. Delete or rotate older keys if you need to make room.
  • Key management is rate-limited (you can’t bulk-create or rotate many keys in quick succession).
  • API keys do not expire on their own - they stay active until you rotate or delete them.

Security tips

  • Treat each key like a password. Don’t paste it into chat, email, or screenshots; don’t commit it to a public repository.
  • Use one key per integration. It’s easier to rotate just the affected key if something leaks.
  • Rotate any key that may have been exposed, even if you’re not sure - rotation is cheap, and the cost of a leaked read-only key over time can be much higher than the few minutes of integration update.