Skip to main content

Manage & Secure API Keys

Application programming interfaces (APIs) enable multiple software components to communicate with each other.

To access Figment's APIs, you must authenticate your requests using a valid API key. You can create, view, and delete your API keys from the DataHub dashboard.

Read more about API authentication.

View an API key

You can create multiple API keys for a DataHub app. You can view your app's API keys from the Overview tab of the dashboard by clicking on View Key.

Dashboard API Key

Create an API key

  1. Log in to your account.
  2. Select the app from the Project list.
  3. Click on the Overview tab of the dashboard.
  4. Click on View Key.
  5. Next, click on Create Key, type “CREATE”, then click Create Key.

You should see an "API key created!" notification in the top right-hand corner. Click on the Copy icon to the right of the API key to copy the API key to your clipboard.

Delete an API key

Note: You must have at least two API keys before you can delete the original API key.

  1. Log in to your account.
  2. Select the app from the Project list.
  3. Click on the Overview tab of the dashboard.
  4. Click on View Key.
  5. Click on the trash can icon next to the API key you wish to delete.
  6. Next, type “DELETE” and click Confirm to delete the API key.

You should see a "Deletion successful!" notification in the top right-hand corner.

API Key Best Practices

Whether you're using a Figment API or any other API in your project, it's important to keep your API keys secure during storage and transmission. Accidentally sharing an API key on a public forum or on a code sharing site like GitHub's Gist could lead to unexpected traffic spikes, consumption of your API quota and unwanted charges on your account. To keep your API keys secure, follow these best practices.

  1. Do not use API keys directly in your code. If an API key is embedded in your code, there is a high chance of accidental exposure. Instead of embedding the keys in code, always store API keys separately in environment variables or .env files outside of your application's source tree.

  2. Never send your API keys or .env files to a public code repository like GitHub. To prevent this, always include .env files in a .gitignore or equivalent. A .gitignore file specifies intentionally untracked files that Git will ignore when you push to a remote. It's a good habit to review your code before pushing it to GitHub, Bitbucket, etc. to make sure it doesn't contain any API keys, login credentials or other sensitive information. Consider using a tool such as GitGuardian to alert you to potential issues.

  3. Keep track of your API usage on a regular basis, which you can do from the Analytics tab in your DataHub dashboard. If you notice anything unusual, like a sudden spike in traffic, you should rotate your API keys by creating a new key, adding the new key to your project's codebase, then deleting the old API key from your account so it can no longer be used. If you believe your API key may have been exposed or you have any questions, please contact the DataHub support team.

  4. Delete any API keys that are not actively being used and limit their access to only those who need them by following the principle of least privilege. Also rotate your API keys periodically, to reduce the risk of attack due to key exposure.

  5. Never share your secrets unencrypted, in emails or via messaging systems like Slack or Discord. Always use a secrets manager, vault manager, or password manager such as AWS Key Management Service, Hashicorp Vault, 1Password or similar.

  6. Manage Allowed Origins for your DataHub apps or implement a proxy service to connect to Figment APIs instead of embedding your API keys in your codebase. Read more about CORS and Allowed Origins.