Authentication & API Keys
By default, every Sheet Best connection is unauthenticated — anyone with the
URL can call it. You can optionally protect a connection with a single API key.
When enabled, every request must include that key in the X-Api-Key header.
Enable an API key
- Open the connection in the Sheet Best dashboard.
- Click Edit on the connection details page.
- Open Advanced Settings.
- Toggle API Key on. Sheet Best generates a key for the connection.
You can disable or regenerate the key from the same screen at any time.
Send the key
Pass the key in the X-Api-Key header on every request:
- cURL
- JavaScript
- Python
curl -H 'X-Api-Key: <your-api-key>' \
'https://api.sheetbest.com/sheets/<api-id>'
fetch('https://api.sheetbest.com/sheets/<api-id>', {
headers: {
'X-Api-Key': '<your-api-key>',
},
});
import requests
requests.get(
'https://api.sheetbest.com/sheets/<api-id>',
headers={'X-Api-Key': '<your-api-key>'},
)
The same header applies to POST, PATCH, PUT, and DELETE requests.
Errors
Requests to a protected connection without a valid key return:
| Status | Error code | Cause |
|---|---|---|
401 | not_authenticated | The X-Api-Key header is missing. |
401 | authentication_failed | The key is incorrect. |
Keeping keys safe
Treat the API key like any other secret:
- Do not commit it to source control.
- Do not embed it in client-side code that runs in browsers you do not control — anyone can read it from the network tab. For browser apps, proxy requests through your own backend.
- Rotate the key from Advanced Settings if you suspect it has leaked.