API Keys
API keys allow you to authenticate API requests programmatically without using session cookies. API keys are tenant-scoped and support granular permissions via scopes.
Creating an API Key
Via UI
- Navigate to Admin → API (
/admin/api)
- Click Create Key
- Configure:
- Name: Descriptive name for the key (required)
- Scopes: Select permissions (required)
- Click Create Key
- Copy the key immediately - it’s shown only once and cannot be retrieved later
Security: API keys are displayed only once at creation. If lost, you must create a new key. Store keys securely and never commit them to version control.
Via API
curl -X POST "https://app.betterdata.co/api/admin/api-keys" \
-H "Authorization: Bearer YOUR_SESSION_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Production API Key",
"scopes": ["inventory:read", "forecast:read"]
}'
{
"apiKey": {
"id": "key_123",
"name": "Production API Key",
"keyPrefix": "bdk_live_ABC123",
"last4": "XYZ1",
"scopes": ["inventory:read", "forecast:read"],
"status": "ACTIVE",
"createdAt": "2024-01-01T00:00:00Z"
},
"plaintextKey": "bdk_live_ABC123_<random>"
}
Using API Keys
Include the API key in the Authorization header as a Bearer token:
curl -X GET "https://app.betterdata.co/api/inventory/channel-location?locationId=loc_123&page=1&limit=50" \
-H "Authorization: Bearer bdk_live_ABC123_<your-key>" \
-H "Content-Type: application/json"
Scopes
API keys support granular permissions via scopes:
Inventory
inventory:read - Read inventory datainventory:write - Create/update inventory
Forecasting
forecast:read - Read forecastsforecast:write - Create/update forecasts
Planning
planning:read - Read planning dataplanning:write - Create/update plans
Procurement
procurement:read - Read procurement dataprocurement:write - Create/update purchase orders
Shipping
shipping:read - Read shipping datashipping:write - Create/update shipments
Reports
reports:read - Read reports
Admin
admin:read - Read admin dataadmin:write - Admin operations (tenant admin only)
Wildcards
inventory:* - All inventory operations* - All operations (use with caution)
Managing API Keys
List Keys
curl -X GET "https://app.betterdata.co/api/admin/api-keys" \
-H "Authorization: Bearer YOUR_SESSION_TOKEN"
curl -X PATCH "https://app.betterdata.co/api/admin/api-keys/key_123" \
-H "Authorization: Bearer YOUR_SESSION_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Updated Name",
"scopes": ["inventory:read", "inventory:write"]
}'
Revoke Key
curl -X POST "https://app.betterdata.co/api/admin/api-keys/key_123/revoke" \
-H "Authorization: Bearer YOUR_SESSION_TOKEN"
Rotate Key
Create a new key and optionally revoke the old one:
curl -X POST "https://app.betterdata.co/api/admin/api-keys/key_123/rotate" \
-H "Authorization: Bearer YOUR_SESSION_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"revokeOld": true
}'
Security Best Practices
- Store securely: Never commit API keys to version control
- Use environment variables: Store keys in environment variables or secret management systems
- Rotate regularly: Rotate keys periodically (e.g., every 90 days)
- Limit scopes: Grant minimum permissions required
- Set expiration: Use expiration dates for temporary keys
- Monitor usage: Review API key usage logs regularly
- Revoke unused keys: Delete keys that are no longer needed
Error Codes
| Code | Status | Description |
|---|
MISSING_AUTHORIZATION | 401 | Authorization header missing |
INVALID_API_KEY | 401 | API key not found or invalid |
REVOKED_API_KEY | 401 | API key has been revoked |
EXPIRED_API_KEY | 401 | API key has expired |
INACTIVE_ORGANIZATION | 403 | Organization is not active |
IP_RESTRICTED | 403 | API key not authorized for this IP |
INSUFFICIENT_SCOPE | 403 | Key lacks required scope |
Example: Get Channel × Location ATP Matrix
curl -X GET "https://app.betterdata.co/api/inventory/channel-location?locationId=loc_123&page=1&limit=50" \
-H "Authorization: Bearer bdk_live_ABC123_<your-key>" \
-H "Content-Type: application/json"
inventory:read scope.
