DocsPricingCompareChangelogGitHub1,029
Start free
API Reference

Authentication

All API requests require authentication. Databuddy supports two authentication methods: API keys for server-side integrations and session cookies for browser-based apps.

API Key Authentication

Use your API key in the x-api-key header:

bash
curl -H "x-api-key: dbdy_your_api_key_here" \
https://api.databuddy.cc/v1/query/websites

Alternatively, use Bearer token format:

bash
curl -H "Authorization: Bearer dbdy_your_api_key_here" \
https://api.databuddy.cc/v1/query/websites

Getting an API Key

  1. Go to Dashboard → Organization Settings → API Keys
  2. Click Create API Key
  3. Enter a descriptive name (e.g., "Production Server", "CI Pipeline")
  4. Select the required scopes
  5. Optionally restrict access to specific websites
  6. Copy and securely store your key — it won't be shown again

Security Note: Store API keys securely. Never commit them to version control or expose them in client-side code.

API Key Scopes

Scopes control what actions an API key can perform:

ScopePermission
read:dataQuery analytics data and list accessible websites — covers POST /v1/query, POST /v1/query/compile, POST /v1/query/custom, and GET /v1/query/websites
track:eventsSend custom events via POST /track
read:linksRead short links and their analytics
write:linksCreate, update, and delete short links
manage:websitesCreate, update, and delete websites
manage:flagsManage feature flags and targeting rules
manage:configIntegration config and organization settings

Most integrations only need read:data. Add track:events if you also send events server-side.

Access Levels

API keys can have two access levels:

Global Access

Access all websites in your account or organization. Best for:

  • Internal dashboards
  • Automated reporting
  • Organization-wide analytics

Website-Specific Access

Access only specified websites. Best for:

  • Third-party integrations
  • Client-specific keys
  • Least-privilege security

Session Cookie Authentication

Browser-based applications using the Databuddy dashboard session can authenticate automatically via cookies. This works when:

  • Users are logged into the Databuddy dashboard
  • Requests include credentials: 'include'
  • Requests originate from *.databuddy.cc domains
typescript
fetch('https://api.databuddy.cc/v1/query/websites', {
credentials: 'include'
})

Choosing an Authentication Method

Use CaseRecommended Method
Server-to-server integrationAPI Key (x-api-key)
CI/CD pipelinesAPI Key (x-api-key)
Custom dashboards (server-side)API Key (x-api-key)
Browser apps on your domainSession Cookie
Third-party applicationsAPI Key with limited scope

Authentication Errors

Error CodeMeaning
AUTH_REQUIREDNo API key or session provided
ACCESS_DENIEDValid auth but no access to requested resource
INVALID_API_KEYAPI key is invalid, expired, or revoked
INSUFFICIENT_SCOPEAPI key lacks required scope

Example error response:

json
{
"success": false,
"error": "Authentication required",
"code": "AUTH_REQUIRED"
}

Best Practices

  1. Use environment variables for API keys in code
  2. Rotate keys regularly — especially if team members leave
  3. Use minimal scopes — only request permissions you need
  4. Set expiration dates for temporary integrations
  5. Monitor usage — check API key activity in the dashboard

How is this guide?

Edit on GitHub