Appearance
Authentication
This document describes the authentication mechanism of the EO Platform.
Introduction
The EO Platform supports authentication via API Key, which is designed for server-to-server (S2S) integrations, backend jobs, data synchronization scripts, and other automated scenarios.
Each user is assigned exactly one active API Key, and the data access permissions granted by this key are identical to the user’s own permissions within the platform (e.g., accessible projects, datasets, and allowed operations).
Using an API Key enables secure, non-interactive API calls to the platform on behalf of the user.
API Key Authentication
Obtaining an API Key
- Log in to the EO Data Management Console;
- Navigate to User Center > Profile;
- In the API Key Management section, click “Show” to view your current API Key;
- On first use, the system will automatically generate an API Key for you.
🔐 Important Notes:
- The API Key is displayed in full only once upon generation—please store it securely.
- If you suspect the key has been compromised or wish to rotate credentials, immediately use the “Refresh API Key” function.
Refreshing the API Key
You can refresh your API Key at any time from the Profile page by clicking “Refresh API Key”:
- After refreshing, the previous API Key is immediately invalidated and can no longer be used for any API requests;
- A new API Key is generated automatically;
- All services using the old key will stop working—ensure you update all integrations accordingly.
Usage
When calling EO Platform APIs, include the X-API-Key header in your HTTP request:
http
GET /api/v1/datasets HTTP/1.1
Host: api.eo-platform.com
X-API-Key: xxxxxxxxxxxxxxxxxxxxxxxx
Content-Type: application/jsonExample Request (cURL)
bash
curl -X GET https://api.eo-platform.com/api/v1/datasets \
-H "X-API-Key: xxxxxxxxxxxxxxxxxxxxxxxx"Response Codes
- Success:
200 OKwith the requested data; - Invalid/Missing/Expired Key:
401 Unauthorized; - Insufficient Permissions:
403 Forbidden(e.g., attempting to access a dataset the user does not have permission to view).
Security Best Practices
To protect your account and data, please strictly adhere to the following guidelines:
✅ Required Practices:
- Use only on the server side: API Keys must be used exclusively in trusted server environments. Never expose them in frontend code (e.g., HTML, JavaScript), mobile apps, desktop applications, or public repositories;
- Always use HTTPS: All API calls must be made over HTTPS to prevent interception;
- Principle of least privilege: Ensure your user account has only the necessary permissions—the API Key inherits these permissions exactly;
- Rotate regularly: We recommend refreshing your API Key every 90 days;
- Respond to leaks immediately: If you suspect a leak, refresh the key in the console right away.
❌ Strictly Prohibited:
- Committing API Keys to version control systems (e.g., Git, SVN);
- Logging or displaying full API Keys in logs, monitoring tools, or error reports;
- Sharing your API Key with unauthorized individuals or third-party services.
Frequently Asked Questions
Q: Can a user have multiple API Keys?
A: No. Each user may have only one active API Key at any time. Refreshing the key immediately invalidates the previous one and issues a new one.
Q: Does the API Key expire automatically?
A: No, it does not expire by default. However, you can manually invalidate it at any time by refreshing. Regular rotation is strongly recommended for security.
Q: Can I use the API Key to log in to the web console?
A: No. API Keys are for API access only and cannot be used to log in to the EO web interface.
Q: What happens if I include both a Token and an API Key in a request?
A: The platform prioritizes Token-based authentication. If you intend to use API Key authentication only, do not include the Authorization header.
📌 Summary: The API Key is a secure credential that acts on your behalf for automated integrations. Treat it with the same level of protection as your password—any exposure may lead to unauthorized access or data compromise.