home User Guide Getting Started Help Center Documentation Community Training Certification
menu
close
settings
Looker keyboard_arrow_down
language keyboard_arrow_down
English
Français
Deutsch
日本語
search
print
Looker API Authentication

To do anything with the Looker API, you’ll first need to authenticate to it. The steps you’ll need to take depend on whether or not you’re using an SDK.

Authentication with an SDK

This is the recommended method for API authentication:

  1. Create API3 credentials on the Users page in the Admin section of your Looker instance. If you’re not a Looker admin, ask your Looker admin to create the API3 credentials for you.

    API3 credentials are always bound to a Looker user account. API requests execute “as” the user associated with the API3 credentials. Calls to the API will only return data that the user is allowed to see, and modify only what the user is allowed to modify.

  2. The API3 credentials that you generated include a client ID and a client secret. You’ll need to provide these to the SDK. The instructions for doing so can be found in the SDK documentation.

The SDK will then take care of obtaining the necessary access tokens and inserting them into all subsequent API requests.

Authentication Without an SDK

API authentication with an SDK is the recommended method. To authenticate without an SDK:

  1. Create API3 credentials on the Users page in the Admin section of your Looker instance. If you’re not a Looker admin, ask your Looker admin to create the API3 credentials for you.

    API3 credentials are always bound to a Looker user account. API requests execute “as” the user associated with the API3 credentials. Calls to the API will only return data that the user is allowed to see, and modify only what the user is allowed to modify.

  2. Obtain a short-term, OAuth 2.0 access token by calling the login endpoint of the API. You’ll need to provide the API3 credentials that you generated in step 1, which include a client ID and a client secret.

  3. Place that access token into the HTTP authorization header of Looker API requests. An example Looker API request with an authorization header might look like this:

    GET /api/3.0/user HTTP/1.1
    Host: test.looker.com
    Date: Wed, 19 Oct 2016 12:34:56 -0700
    Authorization: token mt6Xc8jJC9GfJzKBQ5SqFZTZRVX8KY6k49TMPS8F
    

The OAuth 2.0 access token can be used on multiple API requests, until the access token expires or is invalidated by calling the logout endpoint. API requests using an expired access token will fail with a 401 Authorization Required HTTP response.

API Interaction with User Login Settings

Looker API authentication is completely independent of Looker user login. User authentication protocols such as one-time passcodes (OTP, 2FA) and directory authentication (LDAP, SAML, and so on) do not apply to Looker API authentication.

Because of this, deleting a user’s information from a user authentication protocol does not delete their API credentials. Using the procedures on the Deleting Personal User Information documentation page removes all of a user’s personal data from Looker, preventing them from logging in at all, including through the API.

Managing API Credentials

HTTPS Authentication

Even if you’re using a client SDK to take care of the authentication details for you, you may still be curious about how Looker API authentication works. For low-level details about authentication, see How to Authenticate to the Looker API on GitHub.

Authentication Using CORS

Looker can use the Cross-Origin Resource Sharing (CORS) protocol to let web applications make calls to the Looker API from outside a Looker instance’s domain. See the Looker API Authentication Using CORS documentation page for information about configuring CORS authentication.

Top