Uncountable’s API is designed with security and permission enforcement at its core. This article answers frequently asked questions about how the API handles authentication, authorization, and data access permissions—ensuring users can only interact with data they’re allowed to see.
Overview
What is Role-Based Access Control (RBAC)?
Role-Based Access Control is a security model that restricts access to data and operations based on a user’s role and their assigned permissions. In Uncountable, these permissions determine which projects, experiments, and datasets a user can access.
How does RBAC apply to API usage?
Uncountable applies the same permission rules to API access as it does to the web interface. Whether an API call is made by a user or a robot account, access is limited to the data that user has permission to view or edit.
Who or what can make API requests?
API requests can be made using:
- Personal API keys associated with individual user accounts
- Robot users, which are service accounts typically used for integrations or automated tasks Both types of accounts follow the same role and permission structures as regular users.
FAQ
How does the API enforce role-based access to project data?
API calls are made through authenticated user accounts (personal or robot users), and responses are filtered based on the user’s assigned permissions. If a user doesn’t have access to a project, experiment, or dataset, that data will not be returned in the API response.
Can API requests be filtered automatically based on user roles?
Yes. Filtering is handled automatically by Uncountable. The API will only return data that the authenticated user has permission to view—no additional filtering logic is required on the client side.
What happens if a user tries to access data they don’t have permission to see?
The API will return a 403 Forbidden error. These unauthorized access attempts are logged internally and can be reviewed or forwarded to the customer upon request.
Can access be restricted at a granular level (e.g., project, experiment, dataset)?
Yes. Permissions can be configured with fine-grained control, matching the same access levels available in the Uncountable UI. This allows organizations to tightly manage who can access what data, even within the same workspace.
How does the API authenticate users from external tools like Hex?
Uncountable supports OAuth 2.0 for secure authentication and authorization. Tools like Hex can authenticate using OAuth tokens to access project data on behalf of users.
What authentication methods does the API support?
The API supports:
- OAuth 2.0 (recommended for integrations and third-party tools)
- Basic Authentication (typically used for simpler or legacy use cases)
Does the API log access requests for audit purposes?
Yes. All API access requests are logged. These logs can be shared with your organization’s SIEM (Security Information and Event Management) system for auditing or monitoring.