API Keys

Data API keys (dk_ keys) let you connect external tools to your Querri data — BI tools, automation platforms, custom scripts, partner integrations — through a governed, auditable channel.

Why API keys matter

Without API keys, people share data through shadow channels: emailed CSVs, shared credentials, screenshots on Slack. All of these are unauditable, unrevocable, and frozen at export time.

dk_ keys are strictly better than every real-world alternative:

• Auditable — you can see who created a key, when it was last used, and what it accessed
• Revocable — instant deactivation, no chasing down copies of a CSV
• Scoped — a key can only access what you specify
• Live — queries always return current data, not a stale export

The real comparison

The question isn’t “are API keys as secure as no sharing at all?” — it’s “are API keys more secure than emailing a CSV?” The answer is yes, by every measure.

Creating a key

1. Go to Settings > Security > API Keys
2. Click Create API Key
3. Configure:
   • Name: A descriptive label (e.g., “Production BI Tool”, “Analytics Pipeline”)
   • Table scope: All sources or specific sources only
   • Rate limit: Requests per minute (default: 60, max: 10,000)
4. Click Create
5. Copy the key immediately — it’s only shown once

Save your key

The full key is only displayed at creation time. If you lose it, you’ll need to create a new one and update your integration.

How security works

dk_ keys use a restricted delegation model. A key can never access more than its creator can access.

• If you have access policies that restrict you to Southeast data, any key you create is also restricted to Southeast data
• If your policies change, the key’s effective access changes too — automatically
• No privilege escalation is possible

You can also assign access policies directly to a key, adding further restrictions on top of the creator’s access.

Using a key

Authenticate API requests with the key as a Bearer token:

# List accessible sources
curl -H "Authorization: Bearer dk_your_key_here" \
     -H "X-Tenant-ID: your_org_id" \
     https://app.querri.com/api/data-api/sources

# Get paginated data (access policies applied automatically)
curl -H "Authorization: Bearer dk_your_key_here" \
     -H "X-Tenant-ID: your_org_id" \
     "https://app.querri.com/api/data-api/sources/{source_uuid}/data?page=1&page_size=100"

Keys currently support read-only access. Write capabilities are planned for a future release.

Revoking a key

1. Go to Settings > Security > API Keys
2. Find the key by name or prefix
3. Click Revoke

The key is immediately invalidated. Any requests using it will receive an error. Revoked keys remain visible in the list for audit purposes.

Admin controls

Key creation is currently restricted to organization admins. Admins can also disable key creation entirely for the organization — see Admin Controls.

Best practices

• One key per integration — don’t share keys across tools
• Use explicit table scope — limit keys to only the sources they need
• Rotate regularly — create a new key, update your integration, revoke the old one
• Monitor usage — check “Last Used” timestamps and the audit log for unusual activity
• Never commit keys to source control — use environment variables or secrets managers

Next steps

• Access Policies — The policies that govern what keys can access
• Audit Log — Track key creation, usage, and revocation
• Admin Controls — Disable key creation at the org level