Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.trellistech.com/llms.txt

Use this file to discover all available pages before exploring further.

Trellis uses workspace API keys to authenticate trusted server-side integrations and MCP clients. Send the key as a Bearer token in the Authorization header. 
curl -H "Authorization: Bearer trls_acmevaca_abc123..." \
  https://api.trellistech.com/v1/mcp-server/.well-known/oauth-protected-resource

Obtain an API key

  1. Log in to the Trellis Dashboard.
  2. Open the workspace where the integration should operate.
  3. Go to Settings > Developer and open the Developer / API section.
  4. In API Keys, click Create Key.
  5. Give the key a clear name, such as “Operations MCP” or “Reporting worker”.
  6. Copy the key immediately and store it in your server-side secret manager.
API keys are only displayed once. If you lose a key, revoke it and create a new one.

Key scope

Each API key belongs to one workspace. Trellis rejects cross-workspace requests, even if the same user belongs to multiple workspaces.
ScopeBehavior
WorkspaceThe key can only access the workspace where it was created
Server-side onlyDo not expose the key in browser or mobile client code
RevocableRevoked keys stop working immediately

Security best practices

  • Store keys in environment variables or a secret manager.
  • Never commit a key to source control.
  • Rotate keys periodically.
  • Create separate keys for separate systems so you can revoke one integration without disrupting others.
  • Use explicit user confirmation before any connected client creates tasks, updates records, or sends messages.

Revoking a key

  1. Go to Settings > Developer and open the Developer / API section.
  2. Find the key you want to revoke.
  3. Click Revoke.
  4. Confirm the action.
Any client using the revoked key will receive 401 Unauthorized.