# Takumi Guard: Improved Token Delivery

Takumi Guard now delivers your API key **directly in the setup email** — no verification link to click. Setup is simpler, and enterprise email security tools no longer interfere with key delivery.

## Overview

Previously, your API key was revealed only after clicking a verification link in the setup email. This worked in most environments, but enterprise email security tools (like Microsoft Defender Safe Links) pre-scan URLs via GET requests, consuming the one-time token before you could click it.

The new flow removes the link entirely. Your key and setup commands arrive ready to use.

**Before:** Register → click verification link → see key → configure your project

**After:** Register → key and copy-paste setup commands arrive in email → done

## Security

The key in your inbox has limited exposure. Here's why:

- **The key alone exposes nothing.** It cannot retrieve user data, download history, or any sensitive information.
- **Invalid keys don't break your builds.** If the key leaks and you invalidate it, `npm install` and `pip install` continue to work. Only the elevated rate limit (10k req/min) stops applying; the standard rate limit remains in effect.
- **You can rotate immediately.** The welcome email includes a one-line command to regenerate your key, so you can rotate it out of your inbox right after setup.

## Key Recovery

Lost your API key? No need to contact support.

Re-register with the same email to receive a **reset code**. Use it to generate a fresh key — the email includes a copy-pasteable command. If the code expires, simply re-register again. There is no dead end.

For details, see [Token Management](/docs/t/guard/features/token-management).

## What's Staying the Same

- Existing API keys continue to work — no action needed
- Old verification links now display instructions to re-register
- Both npm and PyPI ecosystems are supported

See [Takumi Guard](/docs/t/guard) for setup instructions.