Generating an API key

This guide will talk you through generating an API key for the File Store API. The API key is used to authenticate requests and should not be shared with anyone who should not have access to it.

The API key is sensitive information and should be treated like a password. Do not share the API key with anyone who should not have access to the File Store API, including exposing the API key in client-side code or public repositories.

Prerequisites

Before generating an API key for use with File Store, you must;

  • Be a Squiz DXP user in the organization within which you need to generate the key.

  • Be an Owner or Admin on the Squiz DXP organization.

Generating an API key

Get your DXP session ID

To generate an API key, you must have your DXP session ID. This ID can be obtained by logging into your Squiz DXP instance and looking at the cookies in your browser. The session ID is stored in a cookie named dxp-sessionid. You will need to copy this value to use in the next step.

Generate the API key

To generate an API key, you must make a POST request to the API key service endpoint. The endpoint is located at https://dxp.squiz.cloud/__dxp/us/apikey/TENANT_ID/apikey/ where TENANT_ID is the ID of the tenant for which you are generating the key. This can be found in the URL of your DXP instance.

The API key service is only currently deployed in the US region. You will need to use the US region endpoint if you are using a different region.

The request should be a POST request with the following headers:

Content-Type: application/json
Cookie: dxp-sessionid=YOUR_SESSION_ID

The body of the request should be a JSON object with the following structure:

{
  "name": "YOUR_API_KEY_NAME",
  "description": "YOUR_API_KEY_DESCRIPTION",
  "permissions": {
      "service": {
          "dxpFileStorage": {
              "privileges": [
                "FILES_PRIVATE_READ",
                "FILES_WRITE"
              ]
          }
      }
  }
}
You can have any combination of FILES_PRIVATE_READ and FILES_WRITE in the privileges array. The FILES_PRIVATE_READ privilege lets you read files marked as private, and the FILES_WRITE privilege lets you write and update files to the file store.

The response to the request will be a JSON object with the following structure:

{
  "tenant": "TENANT_ID",
  "userid": "USER_ID",
  "description": "YOUR_API_KEY_DESCRIPTION",
  "permissions": {
    "service": {
      "dxpFileStorage": {
        "privileges": [
          "FILES_PRIVATE_READ",
          "FILES_WRITE"
        ]
      }
    }
  },
  "name": "YOUR_API_KEY_NAME",
  "id": "YOUR_API_KEY_ID",
  "apikey": "YOUR_API_KEY",
  "createdDate": "YOUR_API_KEY_CREATION_DATE",
  "deleted": false
}
This is the only time that you will be able to see the API Key value. Make sure to save it and store it in a secure location.

When you have received the response, you can use the apikey value as the API key for the File Store API. This key should be sent as a x-api-key header in all requests to the File Store API. When you have this header you no longer need to send the dxp-sessionid cookie in your requests.

In a CURL request, the command would look like this:

curl --request POST \
  --url https://dxp.squiz.cloud/__dxp/us/apikey/TENANT_ID/apikey/ \
  --header 'Content-Type: application/json' \
  --header 'Cookie: dxp-sessionid=YOUR_SESSION_ID' \
  --data '{
  "name": "YOUR_API_KEY_NAME",
  "description": "YOUR_API_KEY_DESCRIPTION",
  "permissions": {
      "service": {
          "dxpFileStorage": {
              "privileges": [
                "FILES_PRIVATE_READ",
                "FILES_WRITE"
              ]
          }
      }
  }
}'
The API key is sensitive information and should be treated like a password. Do not share the API key with anyone who should not have access to the File Store API, including exposing the API key in client-side code or public repositories.

Revoking an API key

Using the API key service endpoint you can revoke an API key by making a DELETE request to the endpoint https://dxp.squiz.cloud/__dxp/us/apikey/TENANT_ID/apikey/YOUR_API_KEY_ID/ where YOUR_API_KEY_ID is the ID of the API key you wish to revoke.

This request as a CURL command would look like this:

curl --request DELETE \
  --url https://develop-apps-dxp-console.dev.dxp.squiz.cloud/__dxp/us/apikey/dx-team-dev-1650/apikey/YOUR_API_KEY_ID \
  --header 'Content-Type: application/json' \
  --header 'Cookie: dxp-sessionid=YOUR_SESSION_ID' \

When you have made this request, the API key will no longer be valid and cannot be used to authenticate requests to the File Store API.