Please note that the TKey currently for sale in the web shop is a provisioned and locked-down version meant for end-users. It's immediately ready for use.
This means you can't change the bitstream or even read out the bitstream (or the Unique Device Secret, UDS) from the TKey FPGA configuration memory even if you break the case and insert it into a programmer board.
We have updated the text on the web shop and will immediately update other documentation to reflect this.
Even if you can't read out the bitstream from the FPGA you can verify the TKey you got through the mail with the tkey-verification program which we point to in:
https://tillitis.se/getstarted/
On Github:
https://github.com/tillitis/tkey-verification
This won't verify the bitstream itself but it will verify that the computed CDI is the same as when we provisioned it (thus proving the presence of the same UDS in the bitstream) and that the firmware is unchanged.