Regulatory compliance may impose stringent data access requirements, such as having the user declare their intended use of the data, provide their IRB number and necessary PHI level, and sign associated terms of use documents every time they log in. This information is logged with each access of the data for later review or audit.

To enable programmatic use of data as if "attached" to a given session, an administrator can configure the server to allow the user to obtain a session key once they have logged in. This key can be used to authorize client code accessing LabKey Server using one of the LabKey Client APIs. Using an API key avoids copying and storing your credentials on the client machine. All client API access is tied to the current browser session, which means the code runs under the current context (e.g., your user, your authorizations) and if applicable, your declared terms of use and PHI level, your current impersonation state, etc.

The API key will lose authorization when the session expires, e.g., when you sign out via the browser or the server automatically times out your session.

Configure Session Keys

  • Select (Admin) > Site > Admin Console.
  • Click the Admin Console Links tab.
  • Under Configuration, click Site Settings.
  • Under Configure Security, check the box for Allow API session keys.
  • Click Save.

Access and Use a Session Key

Once enabled, the user can log in, providing all the necessary compliance information, then retrieve their unique session key from the username pulldown menu:

The session ID is a long, randomly generated token that is valid for only this single browser session. Click Copy to Clipboard to grab it. Then click Done.

You can then paste this key into a script or other API access of data. Your use of the data will be logged with all the same data access information you provided when you logged in.

For example, if you were accessing data via R, you could run the following command in your R interface to enable access to the protected data.


You will then be able to access the data from R until the session associated with that key is terminated, whether via timeout or log out.


Related Topics


expand all collapse all