API Keys

Posit Connect allows users to access hosted content outside the web browser by utilizing API Keys - e.g. via shell scripts. API Keys are enabled by default. To change this behavior please see the Configuring API Keys section.

How this Works

API Keys are associated with user accounts. They provide roughly the same level of access to Posit Connect as a user logged in via the browser would have.

If a user has a compromised API Key, the Key should be deleted as soon as possible. The administrator may wish to lock the account if the user is having difficulty deleting the API Key.

To retrieve static content or to invoke Plumber endpoints via API Keys an HTTP request must be made to the target URL of the published content. The request must contain an HTTP header whose key is Authorization and value is set to Key API_KEY.

Authorization: Key ABCDEFGHIJKLMNO

Note

Use the information above to allow API Keys to pass through a Proxy.

API Keys have the same authorization access levels as the user that owns them. Someone who uses an API Key will be able to view all content that the owner of the API Key has access to. API Keys are shared secrets and as such they should be stored securely and only be given to trusted applications. It is advisable that content requests be made securely over HTTPS. If a user believes that an API Key has been compromised, they can revoke just that key by deleting it.

The Accessing Content via API Keys section of the Connect User Guide explains how to create and use API Keys.

To learn how to configure Connect to listen for HTTPS requests, please see the HTTPS configuration appendix.

Configuration

Disabling API key authentication

Disable Authentication.APIKeyAuth to disallow API keys. This choice also disables Applications.DefaultAPIKeyEnv.

; /etc/rstudio-connect/rstudio-connect.gcfg
[Authentication]
APIKeyAuth = false

Automatic API keys

The CONNECT_API_KEY environment variable is automatically provided to running content. This variable contains an ephemeral API key that exists for the duration of the underlying process.

Content owners can overwrite CONNECT_API_KEY with a custom environment variables.

The automatic addition of CONNECT_API_KEY can be disabled with the Applications.DefaultAPIKeyEnv option.

; /etc/rstudio-connect/rstudio-connect.gcfg
[Applications]
DefaultAPIKeyEnv = false