Documentation Index

Fetch the complete documentation index at: https://docs.supermetrics.com/llms.txt

Use this file to discover all available pages before exploring further.

Create API key

  • Updated on Jun 23, 2026
  • Published on Sep 2, 2025
Prev Next
Post
/api_keys

Create a new API key. Creating a new API key through this endpoint is recorded to the audit logs.

Security
HTTP
Type bearer

Bearer token authentication. Include the token in the Authorization header: Authorization: Bearer <your-token>

Body parameters

API key creation parameters including type, permissions, and access controls

{
  "key_type": "query",
  "description": "Marketing team API key",
  "scope_names": [
    "ds_queries_read",
    "ds_queries_run",
    "table_groups_read"
  ],
  "allow_ips": [
    "192.168.1.100",
    "10.0.0.0/24"
  ],
  "is_enabled": true,
  "behalf_of_user_id": "user_123456"
}
object
description
string

Internal API key description

Max length1000
scope_names
Array of string Required

List of permission scopes for the API key. Defaults to none.

Max items100
string
Valid values[ "cb_connectors_read", "cb_connectors_write", "cb_logo_read", "cb_logo_write", "cb_logs_read", "cb_secrets_read", "cb_secrets_write", "custom_fields_read", "custom_fields_write", "data_blending_read", "data_blending_write", "ds_accounts_read", "ds_login_links_read", "ds_login_links_write", "ds_logins_read", "ds_logins_write", "ds_queries_read", "ds_queries_run", "dwh_transfers_read", "dwh_transfers_write", "table_groups_read", "table_groups_write", "team_lists_read", "team_lists_write", "team_read", "team_settings_read", "team_settings_write", "user_read" ]
allow_ips
Array of string

List of fixed or CIDR formatted IP addresses allowed to use API key. Only IPv4 is supported.

Max items100
string
Max length255
Pattern^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$
is_enabled
boolean

Whether API key is enabled and can be used in requests

Defaulttrue
behalf_of_user_id
string | null Required

Supermetrics user ID the API key identifies as

Max length50
Pattern^[A-Za-z0-9_-]+$
Responses
201

API key created successfully

Headers
Content-Type
string
HTTP response content type
Valid values[ "application/json" ]
Max length255
Exampleapplication/json
X-RateLimit-Limit
integer
Request limit per hour
Minimum1
Maximum10000
Example5000
X-RateLimit-Remaining
integer
Remaining requests in current window
Minimum0
Maximum10000
Example4999
Access-Control-Allow-Origin
string
CORS header
Valid values[ "*" ]
Max length255
Example*
Location
string
URL of the created resource
Max length500
Expand All
object
meta
object (Meta)

Metadata included in every API response.

request_id
string

Unique identifier for the request, for tracking and debugging.

Min length8
Max length64
Pattern^[A-Za-z0-9_-]+$
ExampleBXaEFVtjc7TXaJxgZhmFgSUD9edqq_CN
data
object (ApiKey)
@type
string
Valid values[ "api_key" ]
api_key_id
string

Supermetrics API key ID

Max length50
Pattern^[A-Za-z0-9_-]+$
created_time
string (date-time)

ISO 8601 datetime for when API key was created

Max length50
description
string

Internal API key description

Max length1000
key_type
string

Type of API key

Max length50
key_start
string

First 10 characters from the API key value

Max length50
Pattern^[A-Za-z0-9_-]+$
key_value
string

API key value as plain text, when requested. Defaults to null.

Max length255
Pattern^[A-Za-z0-9_-]+$
scope_names
Array of string

List of permission scopes for the API key

Max items100
string
Max length100
allow_ips
Array of string

List of fixed or CIDR formatted IP addresses allowed to use API key

Max items100
string
Max length255
Pattern^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[1-2][0-9]|3[0-2]))?$
is_enabled
boolean

Whether API key is enabled and can be used in requests

behalf_of_user_info
object (User)
@type
string
Valid values[ "user" ]
user_id
string

Supermetrics user ID

Max length50
Pattern^[A-Za-z0-9_-]+$
email
string (email)

Supermetrics user email

Max length255
400

API Key Error

Headers
X-RateLimit-Limit
integer
Request limit per hour
Minimum1
Maximum10000
Example5000
X-RateLimit-Remaining
integer
Remaining requests in current window
Minimum0
Maximum10000
Example4999
Access-Control-Allow-Origin
string
CORS header
Valid values[ "*" ]
Max length255
Example*
object
error
string
Valid values[ "API_KEY_ALLOW_IP_INVALID", "API_KEY_SCOPE_NAME_INVALID", "API_KEY_USER_INVALID" ]
Max length100
message
string
Max length255
401

Unauthorized

Headers
WWW-Authenticate
string
Bearer token required
Max length255
Pattern^Bearer.*
X-RateLimit-Limit
integer
Request limit per hour
Minimum1
Maximum10000
Example5000
X-RateLimit-Remaining
integer
Remaining requests in current window
Minimum0
Maximum10000
Example4999
Access-Control-Allow-Origin
string
CORS header
Valid values[ "*" ]
Max length255
Example*
{
  "meta": {
    "request_id": "BXaEFVtjc7TXaJxgZhmFgSUD9edqq_CN"
  },
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Authentication is required."
  }
}
Expand All
object

Standard envelope returned by all error (4xx/5xx) responses.

meta
object (Meta)

Metadata included in every API response.

request_id
string

Unique identifier for the request, for tracking and debugging.

Min length8
Max length64
Pattern^[A-Za-z0-9_-]+$
ExampleBXaEFVtjc7TXaJxgZhmFgSUD9edqq_CN
error
object (Error)

Machine- and human-readable detail for a failed request.

code
string

Stable, screaming-snake-case identifier for the error condition. Clients should branch on this, not on message. Common values include BAD_REQUEST, UNAUTHORIZED, FORBIDDEN, NOT_FOUND, CONFLICT_ERROR, PERMISSION_ERROR, UNPROCESSABLE_ENTITY, UNPROCESSABLE_CONTENT, TOO_MANY_REQUESTS, INTERNAL_SERVER_ERROR, DUPLICATION_FAILED, SERVICE_UNAVAILABLE; domains may define additional codes.

Max length100
Pattern^[A-Z][A-Z0-9_]*$
ExampleBAD_REQUEST
message
string

Short, human-readable summary of the error.

Max length255
Pattern^.+$
ExampleThe request was invalid.
description
string

Optional longer explanation specific to this occurrence.

Max length2048
ExampleThe field 'display_name' must not be empty.
403

API Key Limit Exceeded

Headers
X-RateLimit-Limit
integer
Request limit per hour
Minimum1
Maximum10000
Example5000
X-RateLimit-Remaining
integer
Remaining requests in current window
Minimum0
Maximum10000
Example4999
Access-Control-Allow-Origin
string
CORS header
Valid values[ "*" ]
Max length255
Example*
object
error
string
Valid values[ "API_KEY_LIMIT_EXCEEDED" ]
Max length100
message
string
Max length255
422

Unprocessable Entity - validation failed for the request parameters

Headers
X-RateLimit-Limit
integer
Request limit per hour
Minimum1
Maximum10000
Example5000
X-RateLimit-Remaining
integer
Remaining requests in current window
Minimum0
Maximum10000
Example4999
Access-Control-Allow-Origin
string
CORS header
Valid values[ "*" ]
Max length255
Example*
{
  "meta": {
    "request_id": "BXaEFVtjc7TXaJxgZhmFgSUD9edqq_CN"
  },
  "error": {
    "code": "UNPROCESSABLE_ENTITY",
    "message": "Validation failed for the request parameters."
  }
}
Expand All
object

Standard envelope returned by all error (4xx/5xx) responses.

meta
object (Meta)

Metadata included in every API response.

request_id
string

Unique identifier for the request, for tracking and debugging.

Min length8
Max length64
Pattern^[A-Za-z0-9_-]+$
ExampleBXaEFVtjc7TXaJxgZhmFgSUD9edqq_CN
error
object (Error)

Machine- and human-readable detail for a failed request.

code
string

Stable, screaming-snake-case identifier for the error condition. Clients should branch on this, not on message. Common values include BAD_REQUEST, UNAUTHORIZED, FORBIDDEN, NOT_FOUND, CONFLICT_ERROR, PERMISSION_ERROR, UNPROCESSABLE_ENTITY, UNPROCESSABLE_CONTENT, TOO_MANY_REQUESTS, INTERNAL_SERVER_ERROR, DUPLICATION_FAILED, SERVICE_UNAVAILABLE; domains may define additional codes.

Max length100
Pattern^[A-Z][A-Z0-9_]*$
ExampleBAD_REQUEST
message
string

Short, human-readable summary of the error.

Max length255
Pattern^.+$
ExampleThe request was invalid.
description
string

Optional longer explanation specific to this occurrence.

Max length2048
ExampleThe field 'display_name' must not be empty.
429

Too Many Requests

Headers
X-RateLimit-Limit
integer
Request limit per hour
Minimum1
Maximum10000
Example5000
X-RateLimit-Remaining
integer
Remaining requests in current window
Minimum0
Maximum10000
Example4999
Retry-After
integer
Seconds until rate limit resets
Minimum1
Maximum86400
Example3600
Access-Control-Allow-Origin
string
CORS header
Valid values[ "*" ]
Max length255
Example*
{
  "meta": {
    "request_id": "BXaEFVtjc7TXaJxgZhmFgSUD9edqq_CN"
  },
  "error": {
    "code": "TOO_MANY_REQUESTS",
    "message": "Rate limit exceeded. Retry later."
  }
}
Expand All
object

Standard envelope returned by all error (4xx/5xx) responses.

meta
object (Meta)

Metadata included in every API response.

request_id
string

Unique identifier for the request, for tracking and debugging.

Min length8
Max length64
Pattern^[A-Za-z0-9_-]+$
ExampleBXaEFVtjc7TXaJxgZhmFgSUD9edqq_CN
error
object (Error)

Machine- and human-readable detail for a failed request.

code
string

Stable, screaming-snake-case identifier for the error condition. Clients should branch on this, not on message. Common values include BAD_REQUEST, UNAUTHORIZED, FORBIDDEN, NOT_FOUND, CONFLICT_ERROR, PERMISSION_ERROR, UNPROCESSABLE_ENTITY, UNPROCESSABLE_CONTENT, TOO_MANY_REQUESTS, INTERNAL_SERVER_ERROR, DUPLICATION_FAILED, SERVICE_UNAVAILABLE; domains may define additional codes.

Max length100
Pattern^[A-Z][A-Z0-9_]*$
ExampleBAD_REQUEST
message
string

Short, human-readable summary of the error.

Max length255
Pattern^.+$
ExampleThe request was invalid.
description
string

Optional longer explanation specific to this occurrence.

Max length2048
ExampleThe field 'display_name' must not be empty.
500

Internal server error

Headers
Access-Control-Allow-Origin
string
CORS header
Valid values[ "*" ]
Max length255
Example*
{
  "meta": {
    "request_id": "BXaEFVtjc7TXaJxgZhmFgSUD9edqq_CN"
  },
  "error": {
    "code": "INTERNAL_SERVER_ERROR",
    "message": "An unexpected error occurred."
  }
}
Expand All
object

Standard envelope returned by all error (4xx/5xx) responses.

meta
object (Meta)

Metadata included in every API response.

request_id
string

Unique identifier for the request, for tracking and debugging.

Min length8
Max length64
Pattern^[A-Za-z0-9_-]+$
ExampleBXaEFVtjc7TXaJxgZhmFgSUD9edqq_CN
error
object (Error)

Machine- and human-readable detail for a failed request.

code
string

Stable, screaming-snake-case identifier for the error condition. Clients should branch on this, not on message. Common values include BAD_REQUEST, UNAUTHORIZED, FORBIDDEN, NOT_FOUND, CONFLICT_ERROR, PERMISSION_ERROR, UNPROCESSABLE_ENTITY, UNPROCESSABLE_CONTENT, TOO_MANY_REQUESTS, INTERNAL_SERVER_ERROR, DUPLICATION_FAILED, SERVICE_UNAVAILABLE; domains may define additional codes.

Max length100
Pattern^[A-Z][A-Z0-9_]*$
ExampleBAD_REQUEST
message
string

Short, human-readable summary of the error.

Max length255
Pattern^.+$
ExampleThe request was invalid.
description
string

Optional longer explanation specific to this occurrence.

Max length2048
ExampleThe field 'display_name' must not be empty.

© Supermetrics 2025