API Keys
API keys are used to authenticate requests to the Locktera CORE API.
Each API key is associated with a specific user and inherits that user's permissions. All API requests must include a valid API key.
API keys allow your application to securely create and manage containers, update access policies, and retrieve audit logs.
API keys authenticate requests but do not override container access policies. All container access is still enforced according to the container's DRM rules.
Creating an API Key
To create an API key:
-
Log in to the Locktera portal
-
Navigate to Configuration → API Keys
-
Select Create API Key
-
Copy and securely store the API key
You will also see your User ID, which is required for certain API requests.
Your API key will look similar to:
123e4567-e89b-12d3-a456-426614174000
Header Format
Include your API key in the Authorization header using Bearer authentication:
Authorization: Bearer YOUR_API_KEY
Example:
Authorization: Bearer 123e4567-e89b-12d3-a456-426614174000
Using an API Key
Include your API key in the Authorization header using Bearer authentication.
Example request:
curl -X GET $BASE_URL/me \
-H "Authorization: Bearer YOUR_API_KEY"
Example response:
{
"id": "1234",
"email": "user@company.com"
}
If the request succeeds, your API key is valid.
API Key Permissions
API keys inherit the permissions of the user who created them.
This means an API key can only perform actions that the associated user is authorized to perform.
Examples:
• Creating containers
• Retrieving container metadata
• Updating access policies
• Retrieving audit logs
If a user does not have permission to perform an action, the API key will also be restricted.
HTTP 403 Forbidden
{
"error": "access_denied",
"message": "You do not have permission to perform this operation"
}
Protecting API Keys
API keys should be treated as secret credentials.
Do not expose API keys in:
• Client-side applications
• Public repositories
• Browser-based code
Instead, store API keys securely using:
• Environment variables
• Secret management systems
• Backend services
Example using an environment variable:
export LOCKTERA_API_KEY="your_api_key_here"
Rotating API Keys
If an API key is compromised or no longer needed, create a new API key and stop using the old one.
API keys can be managed in the Locktera portal under:
Configuration → API Keys
Regular rotation of API keys is recommended.
Revoked API keys immediately lose access and can no longer authenticate requests.
Identifying API Requests
All API requests made using an API key are recorded in audit logs.
Audit records include:
• The user associated with the API key
• The container accessed
• The operation performed
• The timestamp
This ensures accountability and traceability.
Summary
API keys are used to authenticate requests to the Locktera API.
They:
• Identify the calling user
• Determine access permissions
• Enable secure API access
• Are required for all API requests
API keys must be kept secure and stored safely.
