GuidesSupport
DocumentationCookie ConsentMapsTag ManagerTranslation WidgetHeatmapsPlatformIngest

Authentication

Learn how to create organization API keys, configure scopes, and authenticate requests to the Ours Privacy REST API.

Authentication

The Ours Privacy REST API uses organization API keys for authentication. Every request must include a valid API key in the Authorization header.

Authorization: Bearer <your_api_key>

Creating an API Key

Only organization admins can create and manage API keys.

Step 1: Enable API Keys

API key creation must be enabled for your organization. If you don't see the API keys section in your settings, contact your organization admin or reach out to support@oursprivacy.com.

Step 2: Create a Key

  1. Go to Settings → API Keys in your Ours Privacy dashboard
  2. Click Create API Key
  3. Choose an expiration date (optional)
  4. Select the scopes your key needs (see Scopes below)
  5. Click Create

Important: Copy your API key immediately after creation. For security, the full key is only shown once and cannot be retrieved later.

Step 3: Store It Securely

Treat your API key like a password. Store it in a secrets manager, environment variable, or encrypted configuration — never commit it to source control.

Scopes

API keys are scoped to control which resources and actions they can access. You can grant either broad or granular access:

ScopeDescription
allFull access to all API resources and actions
Specific permissionsGrant access to individual resources (e.g., destinations, sources, consent settings). Uses the same permission model as your organization's role-based access control.

When a request requires a scope the key doesn't have, the API returns 403 Forbidden before any operation is executed.

How Authentication Works

On every request, the API validates:

  1. Key format — the Authorization header is present and correctly formatted
  2. Key validity — the key has not been revoked or expired
  3. Organization status — API keys are enabled for the organization
  4. Creator identity — the user who created the key is still a valid member of the organization
  5. Scope check — the key has the required scope for the requested resource and action

If any check fails, the API returns an appropriate error:

StatusMeaning
401 UnauthorizedMissing, invalid, revoked, or expired API key
403 ForbiddenKey is valid but lacks the required scope

Revoking a Key

Admins can revoke API keys at any time from Settings → API Keys. Revoked keys immediately stop working — any in-flight or future requests using a revoked key will receive 401.

Best Practices

  • Use the narrowest scopes possible. Don't use all if the key only needs to manage destinations.
  • Set expiration dates. Rotate keys regularly, especially for keys used in CI/CD or shared environments.
  • One key per integration. Create separate keys for different tools or pipelines so you can revoke one without affecting others.
  • Monitor usage. Audit which keys are active and revoke any that are no longer needed.

Next Steps

How is this guide?

API Overview

Previous Page

Quickstart

Next Page

On this page

Authentication
Creating an API Key
Step 1: Enable API Keys
Step 2: Create a Key
Step 3: Store It Securely
Scopes
How Authentication Works
Revoking a Key
Best Practices
Next Steps