You can find your Master and Write-only key in your profile.
REST API access is controlled through API keys. Almost every REST API call needs to be issued with a valid API key for authentication and resource authorization purposes.
| API Key Type | Description |
|---|---|
| Master | Can be used to perform all permitted operations based on the user’s permission level and access, no exception. |
| Write-only | Provides an additional layer of security in controlling access to a Treasure Data account through the REST APIs. Useful when access has to be provided to 3rd parties or API keys need to be embedded in ingestion libraries (for example, web page integrations). Based on the permissions and access levels associated with a user, the user’s Write-only API key only allows importing data into Treasure Data to those databases it has write access to. |
Keep your API Master key secure. Master keys grant both read and write access to Treasure Data, and anyone in possession of your Master key could possibly access, corrupt, or delete your data. Do not share your Master keys and be careful not to expose or release your Master key publicly.
By default, every new user is created with one Master and one Write-only API key. Any user can generate any number of the two types of API keys. Any of the API keys can be revoked at any time by the user themselves or any user having Manage User permissions.
- Open TD Console.
- Access My Settings > API Keys.
- Select API Keys.
Only the Master API key can be retrieved from the command line. To retrieve the key, execute the following command:
td apikey:showYou can create additional API keys as needed. This is useful when you need separate keys for different applications or environments.
- Open TD Console.
- Navigate to My Settings > API Keys.
- Select Actions > Create API Key.
- Choose the key type:
- Write-only: For data ingestion only (recommended for most integrations)
- Master: For full access to all permitted operations
- Select Save.
The new API key appears in your list of keys and is ready to use immediately.
Revoke API keys that are no longer needed or may have been compromised. Revoking a key immediately invalidates it and any applications using that key will lose access.
- Open TD Console.
- Navigate to My Settings > API Keys.
- Find the API key you want to revoke.
- Select Actions > Delete for that key.
- Confirm the deletion when prompted.
Revoking an API key cannot be undone. Ensure that no active applications or integrations are using the key before revoking it.
Follow these recommendations to keep your Treasure Data account secure:
- Use Write-only keys for data ingestion tasks, client-side integrations, and third-party services.
- Reserve Master keys for administrative tasks and server-side applications in secure environments.
- Periodically create new API keys and update your applications to use them.
- Revoke old keys after confirming the new keys are working.
- Consider rotating keys every 90 days or according to your organization's security policy.
- Never commit API keys to version control systems.
- Use environment variables or secret management tools to store keys.
- Avoid embedding Master keys in client-side code or publicly accessible locations.
- Keep track of which applications use each API key.
- Create separate keys for different applications to isolate access.
- Revoke keys immediately if you suspect they have been compromised.