🏠 back to Observable

API Keys!

Dear friends and authors,

We’ve just launched a new API key feature, now available in your settings, which will allow you to create secret API keys with read-only access to your private notebooks.

Here’s the full details:

But, in a small nutshell:

  • API keys allow reads of private notebooks, as .js file or a .tgz tarball, at any version.
  • Keys are specific to your personal or team account (your personal API keys can’t read team notebooks)
  • API keys don’t expire, and you can create as many as you like, and rotate them when you like.
  • Treat them like you would a password, and don’t embed them on any public webpage.

I’d love to hear your thoughts on this new features, what other API endpoints you’d like these keys to unlock in the future, and any other concerns, complaints or comments about the design…

10 Likes

@jashkenas Thanks a lot for bringing the secret API keys for read-only access!
I’m curious though to know whether bringing JWT authentication is on the roadmap?

Thinking of embedding Observable cells into a website / blog, I’d find it safer if we could sign the url with tokens that would expire, rather than using a “static” API key in the url, particularly when sharing sensitive content. This is for example how companies like Metabase or Holistics.io enable their secure embedding of reports.

I think it’d be a great advantage for CMS like Wordpress (my case); I am not at all strong in PHP, so I haven’t found an easy way to use HTTP headers when embedding content in a post (but if anyone has ideas I’m all ears! :slight_smile: )

Hi @javpascal,

That’s a very interesting idea! In the implementation you link, the website still needs custom server-side support in order to use the secret API key to generate the token — so I’m not sure how much it would help in a basic CMS (ie. Wordpress) context.

We’ll keep user-signed JWT tokens in mind for a further evolution of the current API key design.

Hi @jashkenas You’re correct - in this case the token generation needs to performed in the client side, to prevent the secret key to be disclosed in browser.

However there are alternatives to it, like through a custom plugin within Wordpress. If you’re curious, there’s a great implementation of report embedding built by Mode Analytics:

Where basically the secret key is added in the backend, and when embedding the report on a post, one does simply need to include a shortcode to point at the desired report to load.