Main menu

Managing REST API authentication keys

Each project requires a separate key to authenticate you via the API. Anyone in possession of one of these keys can perform actions as you, but only within the project to which the key belongs.

You can generate API keys from your Loco project dashboard at any time. From the management view, expand the "Developer Tools" panel at the top-right and click the "API keys" link with the :key icon:. You will see two types of keys, as follows:

1. Export key

Primarily intended for deployment scripts, this type of key provides read only access across the API.

Nobody in possession of this key can do any damage to your data, because any update or delete operations attempted with such a key will be blocked by the API. In other words, this type of key can only be used for GET requests.

Export keys are stored in our database. That means you can always retrieve them from the Developer Tools tab in your project dashboard.

2. Full access key

This key provides read and write access to your Loco project. For this reason you should treat it as carefully as you would your password. Anyone in possession of this key can update and delete your project data as if they were you.

If you need to distribute your key into a deployment script, or share download links with colleagues, use a read-only export key instead.

Full access keys are not stored in our database. That means you can't retrieve them from your dashboard. Be sure to copy new keys to a secure location of your own before closing down the key generation window. If you lose your key, you'll have to generate a new one.

Old keys

If you can see your full access key within the Loco dashboard it was generated before we stopped storing them on our servers. We recommend you regenerate old keys to take advantage of more recent security measures.

Authentication and usage

Loco API keys are effectively "bearer" tokens. This means there's no need to sign requests or present any additional secret information. To authenticate with your key, simply send it to the API as a query string key parameter or [preferably] as an authentication header when possible. See full technical details in the API docs.

We recommend that full access keys are always sent in the header as Authorization: Loco <key>. This avoids your key appearing in our log files.

Security notes

  • The Loco API operates only over SSL. Be sure to verify secure connections;
  • Treat your keys as sensitively as passwords and regenerate them regularly (they don't expire);
  • Use a read-only key whenever possible, especially when distributing links or deployment code.

See also