Authentication
The Partner API uses API key authentication. Every request must include your API key in the x-api-key header.
API Key Format
tq_pk_<random_string>API keys start with tq_pk_ for easy identification. The full key is shown once at creation time — store it securely.
Making Authenticated Requests
Include the x-api-key header in every request:
curl -X POST https://api.tutorq.ai/api/v1/partner/search \
-H "Content-Type: application/json" \
-H "x-api-key: tq_pk_your_api_key_here" \
-d '{"query": "photosynthesis", "course_id": "abc123"}'Security
- API keys are hashed (SHA-256) before storage — we never store plaintext keys
- Each key is tied to a university ID — you can only search your own materials
- Keys can be revoked instantly if compromised
- Keys can have an expiration date (optional)
- All requests are logged with IP and metadata
Error Responses
| Status | Meaning |
|---|---|
401 | Invalid API key |
401 | API key has been revoked |
401 | API key has expired |
403 | Course does not belong to your organization |
429 | Rate limit exceeded |
Example Error
{
"detail": "Invalid API key"
}Best Practices
- Never expose your API key in client-side code (mobile app or browser). Call our API from your backend server.
- Rotate keys periodically — request a new key and revoke the old one.
- Use environment variables to store your API key, not hardcoded in source code.
- Monitor usage via the usage endpoint to detect anomalies.
Getting Your API Key
Contact us at venkat@q3learners.com to set up your partner account and receive an API key.