REST API authentication

The Xata API uses API keys to authenticate users, ensuring secure interactions with the database.

To access Xata via the API, authentication is required using an API key associated with the workspace. Client libraries like TypeScript or Python include this key in the "Authorization" header when emitting HTTPS requests to Xata. If you're using tools like cURL to make HTTPS requests directly, you'll need to include the API key in the "Authorization" HTTP request header.

You can use a personal API key to log in to the Xata CLI client, granting you access to your workspaces and databases.

To create an API key, visit the Account Settings page and click + Add a key. You'll be prompted to enter a name for your key, then click Save. Upon regenerating a key, the previous key instance becomes invalid immediately. You need to update the API key value with the new value in every place where it is used.

All the API keys you generate are listed in the "Personal API Keys" section of your Account Settings.

For security and access control reasons, it's important to regenerate your API key if you have any concerns about its security. Do not share or disclose your API key under any circumstances. If you suspect that your key's security has been compromised, take action by clicking Regenerate to update it.

After you have an API key, you're ready to interact with any route on our API reference, passing the key in the request's Authorization header. For example, to get a list of your workspaces, you can make a request like the following:

import fetch from 'node-fetch'
fetch('', {
  headers: {
    Authorization: 'Bearer YOUR_API_KEY', // <- the magic
    'Content-Type': 'application/json',
.then((response) => response.json())
.then((workspaces) => console.log('Look ma! Workspaces!', workspaces))