# Accessing REST APIs

When you make REST API calls, your access permissions for APIs will mirror your access permissions to objects and features in the Treasure Data Console. For more information about how API endpoints or baseURLs map to the TD Console, see [Treasure Data API baseURLs](https://api-docs.treasuredata.com/en/overview/aboutendpoints/#treasure-data-api-baseurls).

## Choosing the Right Type of API Key

REST API access is controlled through API keys. Almost every REST API call needs to be issued with a valid API key for authentication and resource authorization purposes.

**Master API key**
Can be used to perform every operation allowed by the user’s access level.

Keep your Master key secure—Master keys provide both read and write access, so anyone who obtains it could access, corrupt, or delete your data. Never share or expose a Master key.

**Write-only API key**
Using a write-only key adds a security layer when you expose REST API access to third parties or embed credentials in ingestion libraries (for example, web page integrations). It allows data ingestion only into databases where the user retains write permissions.

## Default API Keys

By default, every new user is created with one Master and one Write-only API key. Any user can generate any number of the two types of API keys. Any of the API Keys can be revoked at any time by the user themselves or any user having Manage User permissions.