Create an API token
Goal
You'll mint a personal API key (dqk_…) in the UI, copy it once, use it as a Bearer token against the REST API and the SDKs, and revoke it when you're done.
Prereqs
- A running PLACEHOLDER Cloud and an account you can log into.
- You know which org (and optionally which workspace) you want the key scoped to.
A personal API key inherits your org role and — if you scope it — your access to a single workspace. It's a credential that acts as you, so treat it like a password.
Steps
-
Log in to the UI.
-
Open Settings → API keys.
-
Click "New API key". Give it a readable name (
ci-nightly,laptop-cli) so you can tell your keys apart later. Optionally pick a workspace to scope the key to a single workspace; leave it unset to inherit your full org access. -
Re-enter your password if prompted. Minting a key is step-up gated — if your session is older than the step-up window you'll be asked to confirm your password first.
-
Copy the token now. The raw
dqk_…token is shown exactly once, right after you create it. PLACEHOLDER Cloud stores only a hash, so it can't show it to you again. If you lose it, revoke the key and mint a new one.
Use it
A dqk_… token is a Bearer token. Send it in the Authorization header against any REST endpoint:
curl -H "Authorization: Bearer dqk_..." \
https://placeholder.example.com/api/v1/organizations/$ORG_ID/personal-api-keys
Both SDKs take the same token directly:
from dq_cloud import DQCloudClient
client = DQCloudClient(api_key="dqk_...", base_url="https://placeholder.example.com")
import { DQCloudClient } from "@dq-cloud/sdk";
const client = new DQCloudClient({ apiKey: "dqk_...", baseUrl: "https://placeholder.example.com" });
See Use the Python SDK and Use the TypeScript SDK for worked examples.
Revoke it
In Settings → API keys, find the key by name and click Revoke (or DELETE /api/v1/organizations/{org_id}/personal-api-keys/{id}). You can only see and revoke your own keys. Revocation isn't instant — a revoked key may keep working for up to TOKEN_CACHE_TTL_SECONDS (default 5 seconds) while the cached lookup expires.
Verify
- The new key appears in the Settings → API keys list with its name, scope, and a blank "Last used" until its first request.
- A request carrying the token returns
200; after you revoke it (and the cache TTL elapses) the same request returns401.
Caveats
- Shown once. There's no way to retrieve the raw token after the create response. Lost key → revoke and re-mint.
- Acts as you. The key carries your org role (and workspace scope if you set one). Anyone holding it has that access — store it in a secret manager, never in source control.
- Rate-limited mint. Creating keys is capped per minute by
rate_limit_personal_api_keys_per_minute(default 10) — see Configuration. - JWT session tokens are not interchangeable with
dqk_keys for the SDK; use a personal API key (or an agentdqa_token) for non-interactive callers.