1

We have self hosted redash which we are trying to use in our own application. there are two ways to access API from our application :

Approach #1. GET ‘https://selfhostedredash.in.mydomain.com/api/queries?api_key=xxxxxxxxxxxxx

Approach #2. GET --header ‘Accept: application/json’ --header 'Authorization: Key xxxxxxxxx’ ‘https://selfhostedredash.in.mydomain.com/api/queries

My developers raise concern is the way it has been used in case #1 (which is default with redash), we are putting sensitive information in the URL, i believe api_key is sensitive information.
Approach #2 required customisation i believe in redash codebase, please correct me if i am wrong here.

Please help me to finalise the way API could be used.
Thanks in advance

2

Approach #2 doesn’t need customization. Redash already allows this.

The API key in Approach #1 is unique to the query (and can be regenerated if compromised). It doesn’t grant access to any other resources. In some ways it seems safer than Approach #2, but less convenient.

3

Thank for the reply.

below link also help me to understand the API a bit more.

4

The docs are helpful too.