API keys
Overview
An API key is an authentication key generated by our API to identify the source making a request to the Databento platform.
API keys add a layer of security to your account. With them, you can authenticate data requests without using your account username or password. You can also assign specific permissions to team members and limit data access. Protect your API key like your password—never give it to a third party.
There is a limit of 100 API Keys on your account. If the maximum number of keys is reached, a 403
error status will be returned when attempting to create a new key.
Creating an API key
- Click the Create a new key button.
- Provide a descriptive name for your API key (API key names must be unique, and up to 64 characters long).
- Click on the Create button.
Editing an API key
- Click on the pencil icon for the key you want to edit.
- Type a new name for the API key.
- Click on the Save button.
Rotating an API key
We recommend that you regularly rotate all API keys for security reasons. This limits the time any one key is active, reducing potential billing impact if a key becomes compromised. See the end of this guide for other best practices to secure your API keys.
- Click on the rotate icon for the key you want to rotate.
- Click on the Rotate button to confirm.
Note: Any live applications currently using the API key will be disconnected.
Deleting an API key
- Click on the trash can icon for the key you want to delete.
- Click on the Delete button to confirm.
Note: Before you delete a key, we recommend you first test that it's no longer in use.
Copying an API key
- Click on the copy icon for the key you want to copy. The API key has now been copied to your clipboard.
Securing your API keys
Since API keys are used to authenticate requests, it's important to secure them. If your API key is exposed and used to access data, your account will incur billing charges. Aside from regularly changing your API keys, here are some best practices to keep them secure:
- Don't store your API keys within source code under version control. Instead, we recommend setting your API keys as environment variables. If you need to store an API key in a file, it's advised to store it in an
.env
file that's read at runtime. - Regenerate any API key that may have been compromised. If you have reason to believe that an API key has been compromised, delete it immediately. You can create a new one in your Databento portal.
- Use a different API key for each application. This allows you to isolate incidents and regenerate the key for one application without affecting others.
- Turn on historical usage limits. Users with a compromised API key are liable for any unauthorized charges. For additional protection against misuse, you can set up usage limits in your Databento portal. These limits can't be adjusted via API.
Revoked API key
Your account security is important to us. If we find that an API key has been made public, whether on GitHub, in our Slack community, or elsewhere, we'll revoke the key to protect your account. A revoked API key can't be used for authentication, so to remedy this, rotate the revoked key or create a new key.