build 3.0.0 · aes-256-gcm / ml-kem-768 · eu/de · ram only
Help / API key vs TOTP

API key vs TOTP — what's the difference?

Paramant uses two credential types for different purposes. Understanding which one you need — and when you need both — prevents most authentication problems.

The short version

API key

  • A static secret string, 64 hex characters
  • Identifies your account to the API
  • Does not expire automatically
  • Issued once, stored by you
  • Used by machines, scripts, and integrations

TOTP code

  • A 6-digit code that changes every 30 seconds
  • Proves you are physically present
  • Generated by your authenticator app
  • Cannot be reused or stolen from logs
  • Used for interactive logins to the dashboard

When you need just the API key

Machine-to-machine calls — IoT devices, CI pipelines, server scripts — use the API key alone. The key goes in the Authorization header on every request. No TOTP code is required because the machine cannot open an authenticator app.

Use a dedicated API key for each integration so you can revoke one without affecting the others. Create additional keys in Dashboard → API keys.

When you need both

Signing in to the Paramant web dashboard at paramant.app/auth/login always requires both. The flow is:

  1. Enter your email address
  2. Enter your API key (acts as your password)
  3. Enter the current 6-digit TOTP code from your authenticator app

This two-factor approach means a leaked API key alone cannot grant dashboard access. An attacker would also need your physical authenticator device.

Why not just use a password?

Paramant has no passwords. The API key functions as one — it is long, random, and machine-generated — but it also serves as the credential for API calls. Combining it with TOTP gives you two-factor authentication without a separate password to manage or a password reset flow to abuse.

Key rotation

Rotate your API key if you suspect it has been exposed: Dashboard → API keys → Revoke, then Generate new key. Update the key in any integrations that use it. The old key stops working immediately on revocation.

Revoking your primary key while signed out of the dashboard will lock you out. Always have a secondary key, or rotate from an active session.

Common questions

Can I use my API key to call the API without TOTP?
Yes. Direct API calls (upload, download, list transfers) require only the API key in the Authorization header. TOTP is only needed for the interactive web login.
My API key was in a public Git commit. What do I do?
Revoke it immediately from the dashboard, then generate a new one. Treat any transfers made with the old key as potentially compromised and notify your recipients if the content was sensitive.
How long is an API key valid?
API keys do not expire automatically. They remain valid until you revoke them. Sessions created via the web login expire after 1 hour.

Related

Set up your authenticator

Step-by-step guide for enrolling an authenticator app.

IoT & embedded devices

Using the API key on constrained devices with no TOTP.