To do anything with the Looker API, you'll first need to authenticate to it. The steps you'll need to take depend on whether or not you're using an SDK.
Authentication with an SDK
This is the recommended method for API authentication:
Enable API Keys for your user on the Users page in the Admin section of your Looker instance. If you're not a Looker admin, ask your Looker admin to enable the API keys for you.
On your user Account page, click the Manage button in the API Keys section to open the API Keys page.
On the API Keys page, click the Create New API Key button to add a new API key to your user account.
API keys are always bound to a Looker user account. API requests execute as the user account that's associated with the API key. Calls to the API return only the data that the user is allowed to see and modify only what the user is allowed to modify.
The API key that you generated includes a client ID and a client secret. You'll need to provide these to the SDK. The instructions for doing so can be found in the SDK documentation.
The SDK will then take care of obtaining the necessary access tokens and inserting them into all subsequent API requests.
Authentication without an SDK
API authentication with an SDK is the recommended method. To authenticate without an SDK, follow these steps:
Enable API Keys for your user on the Users page in the Admin section of your Looker instance. If you're not a Looker admin, ask your Looker admin to enable the API keys for you.
On your user Account page, click the Manage button in the API Keys section to open the API Keys page.
On the API Keys page, click the Create New API Key button to add a new API key to your user account.
API keys are always bound to a Looker user account. API requests execute as the user account that's associated with the API key. Calls to the API return only the data that the user is allowed to see and modify only what the user is allowed to modify.
Obtain a short-term, OAuth 2.0 access token by calling the
loginendpoint of the API. You'll need to provide the API key that you generated in step 1, which include a client ID and a client secret.Place that access token into the HTTP authorization header of Looker API requests. An example Looker API request with an authorization header might look like this:
GET /api/4.0/user HTTP/1.1 Host: test.looker.com Date: Wed, 19 Oct 2023 12:34:56 -0700 Authorization: token mt6Xc8jJC9GfJzKBQ5SqFZTZRVX8KY6k49TMPS8F
The OAuth 2.0 access token can be used on multiple API requests, until the access token expires or is invalidated by calling the logout endpoint. API requests that use an expired access token will fail with a 401 Authorization Required HTTP response.
API interaction with user login settings
Looker API authentication is completely independent of Looker user login. User authentication protocols such as one-time passcodes (OTP, 2FA) and directory authentication (LDAP, SAML, and so on) don't apply to Looker API authentication.
For this reason, deleting a user's information from a user authentication protocol doesn't delete their API keys. Using the procedures on the Deleting personal user information documentation page removes all of a user's personal data from Looker, preventing them from logging in at all, including through the API.
Managing API keys
- Multiple sets of API keys can be bound to a single Looker user account.
- API keys can be created and deleted without affecting the state of the user account.
- Deleting a Looker user account invalidates all API keys that are bound to the user account.
- The API client secret must be kept private. Avoid storing API client secrets in source code or other places that can be seen by a lot of people.
- In production environments, avoid using API keys that are bound to Looker admin accounts. Create minimal-privilege user accounts (often called service accounts) specifically for API activities, and create API keys on those accounts. Grant only the permissions that are needed for the intended API activities.
Authentication using OAuth
Looker can use the Cross-Origin Resource Sharing (CORS) protocol to let web applications make calls to the Looker API from outside a Looker instance's domain. See the Looker API authentication using OAuth documentation page for information about configuring CORS authentication.