App API keys are used to authenticate requests to your Spice runtime endpoints (SQL query, search, AI gateway, etc.). Each app has a primary and optional secondary API key for seamless rotation.
API Keys vs. Management API Tokens:
API Keys - Authenticate requests to your Spice runtime (https://data.spiceai.io, https://flight.spiceai.io)
Personal Access Tokens / OAuth Tokens - Authenticate requests to the Management API (https://api.spice.ai)
Get API Keys
GEThttps://api.spice.ai/v1/apps/{appId}/api-keys
Returns the API keys for a specific app.
Required scope:apps:read
Path Parameters
Parameter
Type
Description
appId
integer
The app ID
Response
{"api_key":"abc123...","api_key_2":"def456..."}
Response Fields:
Field
Type
Description
api_key
string | null
Primary API key
api_key_2
string | null
Secondary API key (for rotation)
{"error":"App with ID 123 not found"}
Example
Regenerate API Key
POSThttps://api.spice.ai/v1/apps/{appId}/api-keys
Regenerates an API key for the specified app. This invalidates the previous key.
Required scope:apps:write
Path Parameters
Parameter
Type
Description
appId
integer
The app ID
Request Body
Request Fields:
Field
Type
Default
Description
key_number
integer
1
Which key to regenerate: 0 (both), 1 (primary), or 2 (secondary)
Response
Response Fields:
Field
Type
Description
api_key
string | null
Primary API key
api_key_2
string | null
Secondary API key
regenerated_key
integer
Which key was regenerated (0, 1, or 2)
Examples
Regenerate primary key (default):
Regenerate secondary key:
Regenerate both keys:
Python:
Node.js:
Using API Keys
API keys are used to authenticate requests to your Spice runtime endpoints:
SQL Query API
Arrow Flight API
AI Gateway (OpenAI Compatible)
Search API
Key Rotation Strategy
Use the dual API key system for zero-downtime key rotation:
Step-by-Step Rotation
Generate secondary key (if not already created)
Update clients to use secondary key
Deploy updated applications with api_key_2 over time. Both keys remain valid.
Verify all clients are using secondary key
Monitor application logs and runtime metrics to ensure no clients are using the old key.
Regenerate primary key
Swap keys (optional)
Update clients back to primary key and regenerate secondary for next rotation.
Rotation Script
Security Best Practices
Key Management
Rotate Regularly - Rotate keys every 90 days or after suspected exposure
Use Secondary Key - Leverage the dual-key system for zero-downtime rotation
Never Commit - Don't commit API keys to version control
Environment Variables - Store keys in environment variables or secrets managers
Monitor Usage - Track API key usage in runtime logs and metrics
Storage
Access Control
Limit apps:write scope to prevent unauthorized key regeneration
Use separate apps for development, staging, and production
Audit API key regeneration events
Troubleshooting
401 Unauthorized
If you receive 401 Unauthorized when using an API key:
Verify the key - Ensure you're using the correct key from the response
Check the header - Use x-api-key header (or Authorization: Bearer for AI Gateway)
Test the key - Use the health endpoint to verify:
Regenerate if needed - The key may have been rotated
Key Not Working After Rotation
If clients fail after key rotation:
Check propagation - Keys are updated immediately but may take a few seconds to propagate
Verify client config - Ensure clients are using the correct key variable
Test both keys - Both primary and secondary keys should work
Check logs - Look for authentication errors in runtime logs
Monitoring
Track API key usage through:
Portal Monitoring - View request counts by API key in the portal
Runtime Logs - Check authentication events in runtime logs
Metrics - Monitor request rates and error rates by key
Terraform
API keys are available as an attribute on the spiceai_app resource. See Terraform Provider for full documentation.
