REST API authentication
The Xata API uses API keys to authenticate users, ensuring secure interactions with the database.
To access Xata via the API, authentication is required using an API key associated with the workspace. Client libraries like TypeScript or Python include this key in the "Authorization" header when emitting HTTPS requests to Xata. If you're using tools like cURL to make HTTPS requests directly, you'll need to include the API key in the "Authorization" HTTP request header.
You can use a personal API key to log in to the Xata CLI client, granting you access to your workspaces and databases.
To create an API key, visit the Account Settings page and click + Add a key. You'll be prompted to enter a name for your key, then click Save. Upon regenerating a key, the previous key instance becomes invalid immediately. You need to update the API key value with the new value in every place where it is used.
All the API keys you generate are listed in the "Personal API Keys" section of your Account Settings.
For security and access control reasons, it's important to regenerate your API key if you have any concerns about its security. Do not share or disclose your API key under any circumstances. If you suspect that your key's security has been compromised, take action by clicking Regenerate to update it.
After you have an API key, you're ready to interact with any route on our API reference, passing the key in the request's Authorization
header. For example, to get a list of your workspaces, you can make a request like the following:
import fetch from 'node-fetch'
fetch('https://api.xata.io/workspaces', {
headers: {
Authorization: 'Bearer YOUR_API_KEY', // <- the magic
'Content-Type': 'application/json',
},
})
.then((response) => response.json())
.then((workspaces) => console.log('Look ma! Workspaces!', workspaces))
from requests import request
headers = {
'Authorization': 'Bearer YOUR_API_KEY',
'Content-Type': 'application/json',
}
resp = request("GET", "https://api.xata.io/workspaces", headers=headers)
print(resp.json())
curl -X GET https://api.xata.io/workspaces \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json"
Note that we
import fetch from "node-fetch"
because we recommend interacting with the Xata API from a backend that serves as a proxy to our API. This protects your API key by not exposing it to a browser environment. Whenfetch
is called in a browser, all headers sent with the request are visible in a browser's developer tools, which has severe security implications. This visibility can have serious security consequences, as it may lead to the unintended exposure of your API key, potentially putting your database at risk of security threats.