API keys on CodeQR allow you to access your project programmatically. This is useful for integrating CodeQR into your application or with other tools and services. Each API key is tied to a specific project – meaning you can use it to access that project’s resources without having to worry about “leaking” access to other workspaces. API keys on CodeQR follow the format:
.env
CODEQR_API_KEY=codeqr_xxxxxxxx
By default, you can use this key to perform any API request without restriction, so it must be stored securely in your app’s server-side code (such as in an environment variable or credential management system). Don’t expose this key on a website.

Create an API key

You can create an API key by following these steps:
1

Go to your project

Go to Settings > API Keys in your project.
Workspace API keys on CodeQR
2

Create an API Key

Click on the “Create” button and select permissions you want to grant to the API key.Select between “You” and “Machine” to associate the API key with your account or a machine user.
  • You: This API key is tied to your user and can make requests against the selected project.
  • Machine: A machine user will be added to your project, and an API key associated with that machine user will be created.
Add new API key on CodeQR
Click on the Create API Key button to create the key. Make sure to copy your API key and store it in a safe place. You won’t be able to see it again.
API Key created on CodeQR
3

Use your API Key

Now that you have your API key, you can use it to access your project’s resources programmatically via SDKs or within any API request as a bearer token.
Authorization: Bearer codeqr_xxxx
We recommend creating API keys with the least privilege necessary to perform the required tasks. This helps to reduce the risk of unauthorized access to your project.

API key permissions

When creating a secret key, you can select the permissions it has, which will give the key access to certain (or all) resources on CodeQR. Here are the different permission options:
PermissionDescription
All permissionsThis API key will have full access to all resources.
Read onlyThis API key will have read-only access to all resources.
RestrictedThis API key will have restricted access to some resources:
Depending on your use case, you might want to use one of these 3 options to limit the scope of the API key and improve security. When making API calls, if your API key has insufficient permissions, the error should tell you which permissions you need.
You can only set permissions on Secret keys. Publishable keys only have access to certain endpoints, and cannot be restricted.

Machine users

On CodeQR, you can create API keys that are associated with a “Machine user”. This is particularly helpful when you don’t want to associate the API key with a particular user in your project, to avoid security risks in involving turnover or changes in project ownership.
Machine users share the same permissions as the owner role in a project. Make sure to only create machine users for trusted applications.
Creating an API key associated with a machine user on CodeQR
These machine users will show up on your project’s People tab, but will not contribute to your project’s user count.
Machine user on CodeQR
If you delete an API key associated with a machine user, the machine user will be deleted. Vice versa, if you delete a machine user, their corresponding API key will be deleted as well.