Skip to main content
The Trellis API uses API keys to authenticate requests. All API requests must include a valid key in the Authorization header.

Making Authenticated Requests

Include your API key as a Bearer token in the Authorization header of every request: 
curl -H "Authorization: Bearer trls_live_abc123..." \
  https://api.trellistech.com/v1/properties

Obtaining an API Key

  1. Log in to your Trellis Dashboard
  2. Navigate to Settings > API Keys
  3. Click Create API Key
  4. Give the key a descriptive name (e.g., “PMS Integration” or “Reporting Script”)
  5. Set the appropriate permissions for your use case
  6. Click Create and copy the key immediately
API keys are only displayed once at creation time. Store your key securely — you will not be able to view it again. If you lose a key, revoke it and create a new one.

API Key Format

Trellis API keys use the prefix trls_ followed by an environment indicator and a unique string:
PrefixEnvironment
trls_live_Production
trls_test_Sandbox / Testing
Test keys operate against a sandbox environment and will not affect your live data.

Key Permissions

API keys are scoped to a single workspace. Each key inherits access to all data within its workspace, including properties, reservations, tasks, and conversations. You can restrict a key’s permissions when creating it:
PermissionAccess
ReadView properties, reservations, tasks, and conversations
WriteCreate and update tasks, update properties
FullAll read and write operations

Revoking a Key

To revoke an API key:
  1. Go to Settings > API Keys in your Trellis Dashboard
  2. Find the key you want to revoke
  3. Click the Revoke button
  4. Confirm the action
Revoked keys immediately stop working. Any integration using the revoked key will begin receiving 401 Unauthorized responses.

Security Best Practices

  • Never expose API keys in client-side code (browsers, mobile apps). API keys should only be used in server-side applications.
  • Use environment variables to store keys rather than hardcoding them in source code.
  • Rotate keys periodically and revoke keys that are no longer in use.
  • Use the minimum required permissions for each key.
  • Monitor usage in the API Keys dashboard to detect unexpected activity.