API Configuration
Generate and manage API keys, configure rate limits, set CORS and IP allowlist rules, register OAuth2 applications, and manage webhook endpoints.
Generating API Keys
API keys authenticate programmatic requests to the OpenAnalyst REST API. Each key is associated with a workspace, a set of scopes, and optionally an expiry date.
- Navigate to Settings > API Configuration > API Keys.
- Click Generate New Key.
- Enter a descriptive name for the key (e.g., "Production Dashboard Service").
- Select the required scopes from the scope checklist.
- Optionally set an expiry date. Keys without expiry dates remain valid until manually revoked.
- Click Generate. Copy the key immediately — it is shown only once.
Warning: API keys are displayed in full only at creation time. Store them in a secrets manager or environment variable immediately. If a key is lost, revoke it and generate a new one.
# Example API request using an API key
curl -X GET "https://app.openanalyst.com/api/v1/dashboards" \
-H "Authorization: Bearer oa_live_xxxxxxxxxxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json"Key Rotation
Rotate API keys periodically as a security best practice, or immediately if a key is suspected to be compromised. The key rotation workflow generates a new key with the same scopes while keeping the old key active for a configurable overlap period (default 24 hours), giving dependent services time to update their credentials without downtime.
Rate Limits by Plan
| Plan | Requests per Minute | Requests per Day |
|---|---|---|
| Free | 30 | 1,000 |
| Basic | 120 | 10,000 |
| Pro | 600 | 100,000 |
| Max | 1,200 | 500,000 |
| Enterprise | Custom | Custom |
Rate limit headers are included in every API response:
X-RateLimit-Limit: 600
X-RateLimit-Remaining: 587
X-RateLimit-Reset: 1740661200CORS Settings
If you are calling the OpenAnalyst API directly from a browser application, configure CORS to allow your origin. Navigate toSettings > API Configuration > CORS and add your allowed origins:
# Allowed origins example
https://yourapp.com
https://staging.yourapp.com
http://localhost:3000Note: Wildcard origins (*) are not supported for security reasons. Each origin must be explicitly listed.
Webhook Endpoints
OpenAnalyst can send event notifications to configured webhook endpoints. Each endpoint is registered with a URL, an optional secret for signature verification, and a list of event types to subscribe to. See the Integrations page for details on the webhook payload format.
IP Allowlisting
Restrict API access to a set of trusted IP addresses or CIDR ranges. When an allowlist is configured, API requests from IP addresses not on the list are rejected with a 403 response. This is particularly important for production API keys used in server-to-server integrations.
Configure the allowlist at Settings > API Configuration > IP Allowlist. You can add individual IPs or CIDR ranges:
203.0.113.42 # single IP
10.0.0.0/24 # CIDR range
2001:db8::/32 # IPv6 CIDR rangeOAuth2 App Registration
To build applications that authenticate on behalf of OpenAnalyst users using OAuth2, register your application inSettings > API Configuration > OAuth2 Apps. You will receive a client ID and client secret. The authorization code flow is used, with PKCE support for public clients (SPAs and mobile apps).
// OAuth2 authorization URL
GET https://app.openanalyst.com/oauth/authorize
?client_id=YOUR_CLIENT_ID
&redirect_uri=https://yourapp.com/callback
&response_type=code
&scope=read:dashboards+read:data
&state=RANDOM_STATE_VALUE
&code_challenge=YOUR_PKCE_CHALLENGE
&code_challenge_method=S256