Skip to main content

API Keys

API keys allow you to authenticate programmatic access to the Qarion platform. They are used by CI/CD pipelines, scripts, the Qarion CLI, and the Python SDK to interact with the API without requiring interactive login.

What is an API Key?

An API Key is a secret token that identifies and authenticates a specific user when making API requests. Each key inherits the permissions of the user who created it, ensuring that API access follows the same governance rules as interactive access.

Creating an API Key

Navigate to your Settings page and select the API Keys section. Click Create API Key to generate a new key.

You can provide a Name for the key to help you identify its purpose later (e.g., "CI Pipeline - Production" or "dbt Integration"). The key value is displayed once at creation time — copy and store it securely, as it cannot be retrieved again after the dialog is closed.

caution

Treat API keys like passwords. Never commit them to source control, share them in chat, or include them in client-side code. Use environment variables or a secrets manager to store keys.

Using API Keys

With the Python SDK

from qarion import QarionClient

client = QarionClient(api_key="your-api-key-here")

With the CLI

export QARION_API_KEY="your-api-key-here"
qarion quality trigger my-space my-check

With Direct API Calls

Include the API key in the Authorization header of your HTTP requests:

Authorization: Bearer your-api-key-here

Managing API Keys

Viewing Keys

The API Keys section lists all your active keys, showing the key name, creation date, and last-used timestamp. The actual key value is never displayed after initial creation.

Revoking Keys

To revoke a key, click the Delete button next to it. Revoked keys are immediately invalidated — any requests using the revoked key will fail with an authentication error.

warning

Revoking a key is immediate and irreversible. Any pipelines or integrations using the key will stop working. Create a replacement key before revoking the old one to avoid downtime.

Best Practices

Use Descriptive Names

Name keys after their purpose (e.g., "GitHub Actions - Staging"). This makes it easy to identify which key to revoke if one is compromised.

Rotate Regularly

Create new keys periodically and retire old ones. This limits the impact of a compromised key that goes undetected.

One Key Per Integration

Avoid sharing a single key across multiple integrations. If a key needs to be revoked, isolating keys by integration minimizes the blast radius.

Monitor Usage

Check the "last used" timestamp periodically. Keys that haven't been used recently may no longer be needed and should be revoked to reduce your attack surface.