What are Keen IO API keys?

Keen IO API keys are unique strings used to authenticate requests to your Keen IO project. They grant specific permissions (read, write, or master) to control access to your event data and project settings.

How do I get my Keen IO API keys?

You can retrieve your Project ID and API keys (Master, Write, Read) from the 'Access' or 'API Keys' section within your Keen IO project dashboard after logging in.

What is the difference between a Write API Key and a Read API Key?

A Write API Key allows you to send new event data to your Keen IO project but cannot read or delete existing data. A Read API Key permits querying and retrieving data but cannot write new events or modify data.

Should I use my Master API Key in client-side applications?

No, the Master API Key grants full access to your project and should never be exposed in client-side applications. Use a Write API Key for client-side event collection and keep Master and Read keys secure on your backend.

How do I include the API key in my requests?

You typically include the API key in the 'Authorization' header of your HTTP request, formatted as 'Bearer '. All requests must use HTTPS.

What should I do if I suspect an API key has been compromised?

If you suspect a key is compromised, immediately regenerate it from your Keen IO dashboard. This will invalidate the old key, and you must update all applications using that key with the new one.

Does Keen IO support OAuth or other authentication methods?

Keen IO's primary and recommended authentication method for API access is through its project-specific API keys. OAuth is generally used for user authentication and authorization to access the Keen IO dashboard itself, not for direct API calls to your project data.

Keen IO Authentication: Methods, Credentials & Security (2026)

Keen IO authentication: Securing API requests to Keen IO requires project-specific API keys. These keys are used to control access for data collection (writes) and data querying (reads). Project IDs and API keys are obtained from the Keen IO dashboard and must be included in all authenticated API calls.

Authentication overview

Keen IO secures access to its API endpoints through project-specific API keys. These keys serve as the primary mechanism for authenticating requests, ensuring that only authorized applications and users can interact with your event data. The system distinguishes between different access levels using specific key types: Master, Write, and Read keys, each granting varying permissions to your Keen IO project.

Authentication is performed by including the appropriate API key in the Authorization header of your HTTP requests. Keen IO mandates the use of HTTPS/TLS for all API communications, encrypting data in transit and protecting sensitive credentials from interception Keen IO API reference. This approach aligns with standard API security practices, where tokens or keys are passed securely to verify the identity and permissions of the requester Microsoft Azure API Gateway guidance.

Understanding the role of each key type and implementing them correctly is crucial for maintaining the security and integrity of your analytics data within the Keen IO platform.

Supported authentication methods

Keen IO primarily relies on API keys for authenticating requests to its data collection and query APIs. These keys are designed to provide granular control over access to your project's data, differentiating between operations like event ingestion and data retrieval.

API key types

Keen IO utilizes three distinct types of API keys, each with specific permissions:

Master API Key: This key grants full administrative access to your project. It can perform all operations, including reading, writing, and deleting data, as well as managing project settings. The Master API Key should be treated with the highest level of security and ideally used only for administrative tasks or secure backend operations.
Write API Key: This key is designed for data collection. It allows applications to send event data to your Keen IO project but does not permit reading or deleting existing data. This key is suitable for client-side applications or services that only need to record events.
Read API Key: This key enables querying and retrieving data from your project. It does not allow for writing new events or modifying existing data. This key is appropriate for applications that display analytics dashboards or generate reports.

The choice of API key depends on the specific action your application needs to perform and the environment in which it operates. Using the least privileged key necessary for a given task is a fundamental security principle.

Authentication in requests

All authenticated requests to Keen IO's API endpoints require the inclusion of an API key in the Authorization header. The key is typically formatted as a Bearer token.

Authorization: Bearer <YOUR_API_KEY>

Alternatively, for some endpoints, particularly those interacting with project resources, the Project ID and API Key might be specified as query parameters or within the request body, though the header method is generally preferred for security.

Authentication method table

Method	When to Use	Security Level
Master API Key	Administrative tasks, backend services requiring full control.	High (Full access)
Write API Key	Client-side event collection, services only sending data.	Medium (Write-only)
Read API Key	Data querying, dashboard display, analytics reports.	Medium (Read-only)

Getting your credentials

Accessing your Keen IO API keys and Project ID is done through the Keen IO dashboard. These credentials are vital for authenticating any interaction with your project's data.

Steps to retrieve credentials:

Log In: Navigate to the Keen IO homepage and log in to your account.
Select Project: Once logged in, select the specific project for which you need credentials. If you have multiple projects, ensure you're working within the correct context.
Access API Keys Section: Within your project dashboard, look for a section typically labeled "Access", "API Keys", or "Project Settings". The exact location may vary slightly based on dashboard updates. Refer to the Keen IO documentation for the most up-to-date navigation.
Locate Project ID and Keys: In this section, you will find your Project ID, Master API Key, Write API Key, and Read API Key. The keys are often displayed with options to copy them or regenerate them if compromised.

Important considerations:

Project ID: Your Project ID is a unique identifier for your Keen IO project and is required alongside API keys for most API calls.
Key Regeneration: If you suspect an API key has been compromised, you should immediately regenerate it from the dashboard. This invalidates the old key and generates a new one. Update all applications using the old key with the new one.
Environmental Variables: For server-side applications, store API keys as environment variables rather than hardcoding them directly into your codebase. This prevents accidental exposure and simplifies key rotation.

Authenticated request example

This example demonstrates how to make an authenticated request to the Keen IO API using a Write API Key to record an event. This example uses curl, but the principles apply across all Keen IO SDKs and programming languages.

Example: Recording an event with a Write API Key

To record an event, you will typically use the /events/{collection_name} endpoint. Replace <YOUR_PROJECT_ID> and <YOUR_WRITE_API_KEY> with your actual credentials.

curl -X POST \
  'https://api.keen.io/3.0/projects/<YOUR_PROJECT_ID>/events/purchases' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer <YOUR_WRITE_API_KEY>' \
  -d '{ "item": "premium_widget", "price": 29.99, "user_id": "user_abc", "keen": { "timestamp": "2026-05-29T10:00:00.000Z" } }'

In this example:

-X POST specifies the HTTP method as POST.
'https://api.keen.io/3.0/projects/<YOUR_PROJECT_ID>/events/purchases' is the endpoint URL, including your Project ID and the event collection name (purchases).
-H 'Content-Type: application/json' indicates that the request body is JSON.
-H 'Authorization: Bearer <YOUR_WRITE_API_KEY>' is the crucial authentication header, containing your Write API Key.
-d '{ ... }' contains the JSON payload representing the event data.

Example: Querying data with a Read API Key

To query data, you would use a Read API Key with a GET request to a query endpoint, such as /queries/count.

curl -X GET \
  'https://api.keen.io/3.0/projects/<YOUR_PROJECT_ID>/queries/count?event_collection=purchases' \
  -H 'Authorization: Bearer <YOUR_READ_API_KEY>'

This request would count the total number of events in the purchases collection, authenticated with the Read API Key.

Security best practices

Implementing strong security practices for your Keen IO API keys is essential to protect your data and prevent unauthorized access. The following guidelines help mitigate common security risks:

Use Least Privilege: Always use the API key with the minimum necessary permissions for a given task. For example, use a Write API Key for client-side event collection and a Read API Key for dashboard display, instead of a Master API Key. This limits the potential damage if a key is compromised Google Cloud security best practices.
Protect API Keys:
- Never hardcode keys: Avoid embedding API keys directly in your source code, especially for client-side applications.
- Environment variables: For server-side applications, store API keys as environment variables or in secure configuration files.
- Secret management services: Consider using dedicated secret management services (e.g., AWS Secrets Manager, Google Secret Manager) to store and retrieve sensitive credentials securely.
- Client-side considerations: If a Write API Key must be used directly in a client-side application, understand the inherent risks. Ensure you only ever use a Write-only key in such scenarios, as a Read or Master key would expose sensitive data.
Enforce HTTPS/TLS: Keen IO mandates HTTPS for all API interactions. Ensure your applications are configured to always use HTTPS when communicating with Keen IO endpoints. This encrypts data in transit, protecting both your event data and API keys from eavesdropping.
Regular Key Rotation: Periodically rotate your API keys, especially Master and Read keys. This reduces the window of exposure if a key is compromised without your knowledge. Establish a schedule for key rotation and update all applications accordingly.
Monitor API Usage: Regularly review your Keen IO project's activity logs for any unusual or unauthorized API calls. Many platforms provide audit trails that can help detect suspicious behavior.
Restrict Dashboard Access: Limit access to your Keen IO dashboard to only necessary personnel. Implement strong passwords and, if available, multi-factor authentication (MFA) for dashboard access.
Secure Backend Operations: For operations requiring Master or Read API Keys, ensure these are performed exclusively from secure backend servers or trusted environments. Avoid exposing these keys in client-side code where they could be easily extracted.

Keen IO Authentication: Methods, Credentials & Security (2026)

Authentication overview

Supported authentication methods

API key types

Authentication in requests

Authentication method table

Getting your credentials

Steps to retrieve credentials:

Important considerations:

Authenticated request example

Example: Recording an event with a Write API Key

Example: Querying data with a Read API Key

Security best practices

Frequently asked questions

Reviews

Discussion

Written by