API Keys
API keys provide programmatic access to the CloudQuery Platform API. Use them to automate workflows, integrate with CI/CD pipelines, or access platform features from scripts and external tools.
Prerequisites
You need admin permissions to create and manage API keys.
Creating an API key
- In the sidebar, click your user icon and select Admin Settings.
- Navigate to the API Keys section.
- Click Create API Key.
- Enter a Name to identify the key’s purpose (e.g., “CI/CD Pipeline” or “Terraform Integration”).
- Set an Expiration date. Preset options are 7 days, 30 days, and 1 year. You can also pick a custom date.
- Assign a Role to control what the key can access:
| Role | Description |
|---|---|
admin:write | Full admin access — manage syncs, users, settings |
admin:read | Read-only admin access |
general:write | Read and write access to non-admin features |
general:read | Read-only access to non-admin features |
ci | CI/CD pipeline access for syncs and deployments |
schema-only | Access to table schemas only |
- Click Create.
The API key value is displayed only once after creation. Copy it immediately and store it securely — you will not be able to view it again.
Using an API key
Include the key in the Authorization header of API requests:
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
https://<YOUR_PLATFORM_URL>/api/pluginsAPI keys are also used for Platform Activation and plugin downloads from the CloudQuery Hub.
Managing API keys
The API keys list shows:
| Field | Description |
|---|---|
| Name | The identifier you assigned when creating the key |
| Created by | The email of the user who created the key |
| Created at | When the key was created |
| Expires at | When the key will stop working |
| Last used | The last date the key was used (accurate to the day) |
| Status | Whether the key is active or expired |
To delete a key, use the action menu on the key’s row. Deleted keys stop working immediately.
Best practices
- Create separate keys for different use cases (CI/CD, monitoring, automation) so you can rotate or revoke them independently.
- Set expiration dates. Avoid creating keys that never expire.
- Store keys in a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault) rather than in plaintext configuration files.
Last updated on