API Keys
API keys (qk_ keys) let you connect external tools to Querri programmatically — BI tools, automation platforms, custom scripts, partner integrations — through a governed, auditable channel with fine-grained permission scopes.
Why API keys matter
Section titled “Why API keys matter”Without API keys, people share data through shadow channels: emailed CSVs, shared credentials, screenshots on Slack. All of these are unauditable, unrevocable, and frozen at export time.
qk_ keys are strictly better than every real-world alternative:
- Auditable — you can see who created a key, when it was last used, and what it accessed
- Revocable — instant deactivation, no chasing down copies of a CSV
- Scoped — a key gets only the permissions it needs (Data Access, Full Access, or custom)
- Live — queries always return current data, not a stale export
- Time-limited — keys can have expiration dates for automatic rotation
Creating a key
Section titled “Creating a key”- Go to Settings > API Keys
- Click Create API Key
- Configure:
- Name: A descriptive label (e.g., “Production BI Tool”, “Analytics Pipeline”)
- Permission scope: Choose from preset scopes or customize
- Expiration: Optional expiration date for automatic key rotation
- Click Create
- Copy the key immediately — it’s only shown once
Permission scopes
Section titled “Permission scopes”Each key gets a specific set of permissions. Choose from presets or build a custom scope:
| Preset | Permissions |
|---|---|
| Full Access | All API endpoints — projects, chats, dashboards, data, sharing, users, connectors, and more |
| Data Access | Read-only access to data sources, files, and query results |
For custom scopes, you can combine individual permissions:
- Projects — create, read, update, delete projects
- Data — access data sources and query results
- Users — manage organization members
- Sharing — manage share links and permissions
- Connectors — manage data connectors
How security works
Section titled “How security works”qk_ keys use a scoped permission model. A key can only perform the actions its scope allows, and never more than its creator can access.
- If you have access policies that restrict you to certain data, any key you create is also restricted
- If your policies change, the key’s effective access changes too — automatically
- No privilege escalation is possible
Using a key
Section titled “Using a key”Authenticate API requests with the key as a Bearer token:
# List accessible sourcescurl -H "Authorization: Bearer qk_your_key_here" \ -H "X-Tenant-ID: your_org_id" \ https://app.querri.com/api/v1/sources
# Get paginated data (access policies applied automatically)curl -H "Authorization: Bearer qk_your_key_here" \ -H "X-Tenant-ID: your_org_id" \ "https://app.querri.com/api/v1/sources/{source_uuid}/data?page=1&page_size=100"See the API Reference for the full list of available endpoints.
Revoking a key
Section titled “Revoking a key”- Go to Settings > API Keys
- Find the key by name or prefix
- Click Revoke
The key is immediately invalidated. Any requests using it will receive an error.
Admin controls
Section titled “Admin controls”Admins can disable qk_ API key creation for the entire organization — see Admin Controls.
Best practices
Section titled “Best practices”- One key per integration — don’t share keys across tools
- Use the narrowest scope possible — give keys only the permissions they need
- Set expiration dates — use automatic expiration for keys that don’t need to live forever
- Rotate regularly — create a new key, update your integration, revoke the old one
- Monitor usage — check “Last Used” timestamps and the audit log for unusual activity
- Never commit keys to source control — use environment variables or secrets managers
Next steps
Section titled “Next steps”- API Reference — Full API documentation
- Access Policies — The policies that govern what keys can access
- Audit Log — Track key creation, usage, and revocation
- Admin Controls — Disable key creation at the org level