API Keys

If you've learned how to call Algorithms already, you've already seen your API key -- the long string of characters starting with "sim" which is passed to Algorithmia.client(). Your API Keys ensure that the call can access your data sources, and that the call is billed to the correct account -- but did you know that you can have more than one API Key, and that they should be used for different purposes?

With multiple API Keys, you can limit your risk by specifying which Algorithms, what Data, and which contexts it can run in (e.g. only work from JavaScript on specific websites). If a key is exposed, you can delete it without affecting your other applications.

Click "Create New" > "API Key" in the upper-right to make a new one. Give it a descriptive name so you'll remember why you made it (for example, "HelloWorld for Contractor X").

Next, you can pick which specific Algorithms this key can be used to run: the default, "algo://*", allows any Algorithm, but you can delete this and specify a specific one such as "algo://demoalgo/HelloWorld/*" (meaning "all version numbers of the demoalgo/HelloWorld Algorithm").

Following this, you can choose whether to allow this Key to run in browser-side JavaScript, or all other languages ("Native clients"). We don't recommend checking both at the same time.

If you've selected browser JS, you can also specify CORS restrictions which allow the key only to be run from specific sites.

The "Data Access" section lets you specify whether this key can be used to read, or read & write, to your data collections. Only allow this if you or someone you trust very well will be using the key.

Don't check the box under "Management APIs". This is only useful if you are creating your own Algorithms, and is dangerous to enable otherwise.

Once you've created an API Key, you can copy it and use it in Algorithmia.client(), replacing the default key for that code segment. And, you can always return to this page and click the "..." next to any Key to edit or delete it.

IMPORTANT NOTE for browser-side JavaScript: If you're embedding browser-side code, your API Key will be naturally exposed in the source code delivered to the browser, so you want to narrow the key's capabilities as much as possible. Unless your website is only accessible inside a corporate firewall, don't check both "native clients" and "Web browser", lock it down to specific Algorithms instead of using "algo://*", and set Data to "No Access" or "View Only" if possible.

Next, let's look at the "Account" tab, which shows your credit balance and call history.