Codat uses API keys to control access to the API.

It is vital this API key is kept secret and is not available in publicly accessible areas such as GitHub and client-side code.
Codat recommends the API key is inserted at release time and the number of people at your organisation with access to your API key is minimised.

Codat expects for the API key to be included in all API requests to the server, Base64 encoded within an 'Authorization' header.

Authorization: Basic your_encoded_api_key


You must replace your_encoded_api_key with your API key, Base64 encoded

Admin and Developer users can view and regenerate API keys and Authorization headers from the Codat Portal.

Getting your authorization header


Authorization headers can only be viewed and copied by users with Administrator or Developer roles.

To get your authorization header from the Codat Portal:

  1. In the navigation bar, click Settings > Organization.
  2. In the API Access section, copy your authorization header rather than the API key itself.