v2.4.1
Home / Documentation / Authentication & API

Authentication & API Access

Securely connect to the DataPulse Analytics Platform using API keys, OAuth 2.0, and service account credentials.

Note All API requests must include a valid authentication token in the Authorization header. Tokens expire after 24 hours and can be refreshed using the /auth/refresh endpoint.

1. Generating API Keys

API keys provide the simplest way to authenticate server-to-server requests. You can generate keys from the DataPulse Console under Settings → API Access.

Permission Level Scope Use Case
read_only Datasets, Dashboards, Reports BI Integrations, Read-only clients
read_write Everything in read_only + ETL Pipelines Data ingestion services, automated workflows
admin Full platform access + User management Infrastructure provisioning, DevOps scripts

2. OAuth 2.0 Flows

For user-facing applications, implement OAuth 2.0 authorization code flow with PKCE. This ensures secure delegated access without exposing long-lived credentials.

Step 1: Authorization Request

Redirect users to the DataPulse authorization endpoint with your client ID and requested scopes.

HTTP 
GET https://auth.datapulse.ai/oauth/authorize?
  client_id=YOUR_CLIENT_ID&
  redirect_uri=https://yourapp.com/callback&
  response_type=code&
  scope=analytics:read pipelines:write&
  state=csrf_token_value&
  code_challenge=VERIFIER_HASH&
  code_challenge_method=S256

Step 2: Token Exchange

Exchange the authorization code for an access and refresh token.

cURL 
curl -X POST https://auth.datapulse.ai/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "authorization_code",
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET",
    "code": "AUTH_CODE_FROM_REDIRECT",
    "redirect_uri": "https://yourapp.com/callback",
    "code_verifier": "ORIGINAL_VERIFIER"
  }'
Security Warning Never store client_secret in frontend code or public repositories. Use environment variables and secret management services (e.g., HashiCorp Vault, AWS Secrets Manager).

3. SDK Authentication

The official DataPulse SDKs handle token management, retries, and rate limiting automatically. Initialize the client with your credentials:

Python 
from datapulse import Client, Config

client = Client(
    api_key="dp_live_8f3k29d...",
    config=Config(
        environment="production",
        timeout=30,
        retries=3
    )
)

# Verify connection
info = client.auth.verify()
print(f"Authenticated as: {info.org_name}")

4. Rate Limiting

API endpoints enforce rate limits to ensure platform stability. Limits are applied per API key and vary by plan tier.

  • Starter: 100 requests/minute
  • Business: 1,000 requests/minute
  • Enterprise: Custom limits (up to 10k/min)

When rate limited, the API returns 429 Too Many Requests with a Retry-After header. Implement exponential backoff in your client.

5. Webhook Authentication

Webhooks include an HMAC-SHA256 signature in the X-Datapulse-Signature header. Verify payloads before processing events.

Node.js 
const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const hmac = crypto.createHmac('sha256', secret);
  const digest = hmac.update(payload).digest('hex');
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(`sha256=${digest}`)
  );
}
Previous Introduction Next Quick Start Guide
}