API Keys

Posit Connect allows users to access hosted content outside the web browser by utilizing API Keys - e.g. via shell scripts. API Keys are enabled by default. To change this behavior please see the Configuring API Keys section.

How this Works

API Keys are associated with user accounts. They provide roughly the same level of access to Posit Connect as a user logged in via the browser would have.

If a user has a compromised API Key, the Key should be deleted as soon as possible. The administrator may wish to lock the account if the user is having difficulty deleting the API Key.

To retrieve static content or to invoke Plumber endpoints via API Keys an HTTP request must be made to the target URL of the published content. The request must contain an HTTP header whose key is Authorization and value is set to Key API_KEY.

Authorization: Key ABCDEFGHIJKLMNO

Use the information above to allow API Keys to pass through a Proxy.

API Keys have the same authorization access levels as the user that owns them. Someone who uses an API Key will be able to view all content that the owner of the API Key has access to. API Keys are shared secrets and as such they should be stored securely and only be given to trusted applications. It is advisable that content requests be made securely over HTTPS. If a user believes that an API Key has been compromised, they can revoke just that key by deleting it.

The API Keys chapter of the Posit Connect User Guide explains how to create and use API Keys.

To learn how to configure Posit Connect to listen for HTTPS requests please see the HTTPS configuration appendix.

Configuring API Keys

To disallow API Keys, set Authentication.APIKeyAuth to false.

; /etc/rstudio-connect/rstudio-connect.gcfg
APIKeyAuth = false