Access Control

API management in Gigantics is controlled by role-based permissions. Only users with the appropriate permissions can create, modify, or delete API keys and endpoints.

Required Permission

All API management operations require the ManageAPIKeys permission:

• Creating API keys
• Editing API keys (changing purpose or active status)
• Deleting API keys
• Assigning API keys to endpoints
• Viewing API keys and endpoints
• Deleting endpoints

Permission Assignment

Permissions are assigned at the project level through:

1. Navigate to Project → Settings → Team
2. Assign users or roles the ManageAPIKeys permission
3. Users with this permission can access the API Keys page from the project menu

Who Can Use Endpoints

API endpoints themselves are accessible to anyone who has a valid API key, regardless of their UI permissions. This means:

• Users without UI access can still call API endpoints if provided with a key
• External systems can authenticate using API keys without user accounts
• API access is independent of UI role permissions

API Key Visibility

In the UI

• API keys are visible in full only during creation
• The API Keys page shows only the prefix (first 10 characters) followed by ***
• Example display: abc123xyz-***

Accessing Keys

• Keys cannot be retrieved after creation
• If a key is lost, you must:
  1. Create a new API key
  2. Assign it to the endpoints
  3. Update clients to use the new key
  4. Optionally delete the old key

Endpoint Access Control

Creating Endpoints

To assign an API endpoint to a dataset or pipeline, you need:

• ManageAPIKeys permission

Endpoint Visibility

• Endpoints can be viewed by anyone with ManageAPIKeys permission
• Endpoint URIs are visible to help configure clients
• Call counts are visible to monitor usage

Deleting Endpoints

• Requires ManageAPIKeys permission
• Deleting an endpoint removes API access but does not delete the underlying resource (dataset or pipeline)

Pipeline Endpoints

Pipeline endpoints also require the ManagePipelines permission in addition to ManageAPIKeys for some operations:

• Creating pipeline-specific API keys
• Assigning endpoints to pipelines

Security Best Practices

1. Limit access - Only grant ManageAPIKeys to users who need to manage API access
2. Monitor usage - Regularly review call counts and last-used timestamps
3. Rotate keys - Create a rotation schedule and stick to it
4. Use descriptive purposes - Track who/what each key is for
5. Deactivate unused keys - If a key hasn't been used recently, consider deactivating it
6. Review endpoints - Periodically review which endpoints exist and remove unused ones

Related Documentation

• API Endpoint Assignment - Learn how to create endpoints
• Authentication - Understand how API keys authenticate requests
• Multiple API Keys per Endpoint - Learn about multi-key assignment