Codat uses API keys to control access to the API.

It is vital this API key is kept secret and is not available in publicly accessible areas such as GitHub and client-side code.
Codat recommends the API key is inserted at release time and the number of people at your organisation with access to your API key is minimised.

Codat expects for the API key to be included in all API requests to the server, Base64 encoded within an 'Authorization' header.

Authorization: Basic your_encoded_api_key


You must replace your_encoded_api_key with your API key, Base64 encoded

Admin and Developer users can view and regenerate API keys and Authorization headers from the Codat Portal.

This can be found under "Account" > "Profile" > API Access > API Key/Authorization Header.