Authentication
Per-account bearer keys with optional scopes.
Every request carries a bearer key:
Keys are created in Account → Settings → API keys and are included on the Professional and Business plans. The full key is shown once at creation; only a hash is stored, so copy it then. A key can be revoked at any time, and if the account leaves the Professional or Business plans its keys stop authenticating until the plan returns. Revoking is permanent; a plan change is not.
Scopes
A key can be restricted at creation to a subset of scopes, so a key you embed in a dashboard or hand to a contractor cannot do more than you granted. A key created with every box checked (the default) has full access. Calling an endpoint the key was not granted returns 403 insufficient_scope.
| Scope | Covers |
|---|---|
| data:read | Statistics search and fetch, exact-statistic construction, the source registry. |
| chart:read | Reading and listing charts, and exporting them as files. |
| chart:write | Creating, updating, publishing, and deleting charts, and loading data into them. |
| folder:read | Listing and reading folders. |
| folder:write | Creating, renaming, moving, and deleting folders. |
| theme:read | Listing the account's themes. |
The scope each endpoint requires is listed on the endpoints page.