Authentication
Vibedasher has two access tiers: the authenticated API (an API key) and a small public, no-auth surface.
API key (X-Api-Key)
The authenticated API — datasets, SQL, visualizations, connections, AI chat, and more — is
accessed with an API key sent in the X-Api-Key header.
Mint a key
Create a key with POST /v1/api-keys, from the app or the API. Treat it like a password:
it carries your account's access. Store it in an environment variable, never in source
control.
Send it
curl https://api.eu-central-1.vibedasher.com/v1/datasets \
-H "X-Api-Key: $VIBEDASHER_API_KEY"
The official SDKs wire this header for you — you just pass the key when you construct the client:
import { Vibedasher } from '@vibedasher/client';
const client = new Vibedasher({
apiKey: process.env.VIBEDASHER_API_KEY!,
region: 'eu-central-1',
});
const { data, error } = await client.datasets.list();
from vibedasher import Vibedasher
client = Vibedasher(api_key="<your-api-key>", region="eu-central-1")
client.datasets.list()
The base URL is region-routed: https://api.{region}.vibedasher.com
(eu-central-1).
Public endpoints — no auth
The endpoints under /v1/public/* require no authentication. They serve only content
that has been explicitly published and marked public:
curl https://api.eu-central-1.vibedasher.com/v1/public/viz/slug/<slug>
Drafts and private dashboards return 404 — there is no way to read unpublished data
through the public surface.
What's never exposed
Pure infrastructure and admin plumbing is excluded from the API entirely — admin cache/job/ worker management, the AI-debug and observability viewers, cross-account analytics, WebSocket transport, and direct function invocation. These power the app internally and are not part of the documented surface.
Need something the API doesn't cover yet? Reach out via the chat widget on vibedasher.com.