API Keys

2024-03-29

This topic is under construction for the 24.3 (March 2024) release of LabKey Server. For current documentation of this feature, click here.

API Keys can be used to authenticate client code accessing LabKey Server using one of the LabKey Client APIs. Authentication with an API Key avoids needing to store your LabKey password or other credential information on the client machine. When desired, a single user can have multiple simultaneous API Keys that allow the same access for different purposes.

Overview

An API Key can be specified in .netrc/_netrc, provided to API functions, and used with external clients that support Basic authentication. Since a valid API Key provides complete access to your data and actions, it should be kept secret. API Keys have security benefits over passwords:

  • They are tied to a specific server
  • They're usually configured to expire, and can be revoked by an administrator
  • They provide API access for users who sign in via single sign-on authentication mechanisms such as CAS and SAML
  • They also provide API access for servers configured for two-factor authentication (such as Duo or TOTP)
An administrator can configure the server to allow users to obtain an API Key (or token) once they have logged in. API Keys can be configured to expire after a duration specified by the administrator. An administrator also retains the power to immediately deactivate one or more API Keys whenever necessary.

In cases where access must be tied to the current browser session and run under the current context (e.g., your user, your authorizations and if applicable, your declared terms of use and PHI level, your current impersonation state, etc.), such as some compliance environments, you will need to use a session key. Session keys expire at the end of the session, whether by timeout or explicit logout.

Configure API Keys (Admin)

  • Select (Admin) > Site > Admin Console.
  • Under Configuration, click Site Settings.
  • Under Configure API Keys, check the box for Let users create API Keys.
  • Select when to Expire API Keys. Options:
    • Never (default)
    • 7 days (1 week)
    • 30 days (1 month)
    • 90 days (3 months)
    • 180 days (6 months)
    • 365 days (1 year)
  • Click Save.

Access and Use an API Key (Developers/Users)

The API Key is a long, randomly generated token that provides an alternative authentication credential for use with APIs. A valid API Key provides complete access to your data and actions, so it should be kept secret.

Once enabled, a logged-in user can retrieve an API Key via username > External Tool Access:

Click Generate API Key to create one.

Click the button to copy it to the clipboard. Important: the key itself will not be shown again and is not available for anyone to retrieve, including administrators. If you lose it, you will need to regenerate a new one.

Click Done at the bottom of the page.

You can then use this key in a .netrc/_netrc file or via clients that authenticate using Basic authentication. All access to the system will be subject to your authorization and logged with your user information.

If needed, you can generate multiple API Keys and use them in different contexts at the same time to provide the same access under your credentials.

Note: When an administrator is impersonating a user, group or role, they cannot generate an API Key.

Example: .netrc/_netrc File

To avoid embedding credentials into your code, you can use the API Key as a password within a .netrc/_netrc file. When doing so, the username is "apikey" (instead of your email address) and the password is the entire API Key. This is the recommended method of using an API Key; it is compatible with all LabKey client libraries.

machine localhost
login apikey
password the_long_string_api_key

Any API use via a LabKey client library will be able to access the server with your permissions, until the key expires or is terminated by an administrator.

Troubleshooting

If you see an error like one of these:

Error in handleError(response, haltOnError) : 
HTTP request was unsuccessful. Status code = 401, Error message = User does not have permission to perform this operation.

labkey.exceptions.RequestAuthorizationError: '401: User does not have permission to perform this operation.'

Check to see if you are using an invalid API Key, either one that has expired, been revoked, or has additional characters (such as the "apikey|" prefix that was previously used with API Keys and is no longer used). The invalid key could be in your script or in the .netrc/_netrc file.

Manage API Keys (Admin)

A site administrator can manage API Keys generated on the server using the APIKey query. Link to it from the top of the null username > External Tool Settings page.

You will see the keys that have been generated on this server, listed by username and displaying the time of creation as well as expiration (where applicable). Note that session keys are not listed here, and there is no ability for a non-admin user to see or delete their own keys.

To revoke an API Key, such as in a case where it has been compromised or shared, select the row and click (Delete). To revoke all API Keys, select all rows and delete.

Related Topics