Breadcrumbs

Setting up API-keys for ADA

ADA (Agile Data Agent) requires External API keys with specific endpoint permissions to interact with ADE. Use Admin UI to create the keys.

Recommendation

Create developer-specific API keys for ADA. Use the developer's email address as the API key description. This provides traceability in Designer, where changes show as:

user.name@company.com <api_key:abc123>

API Key Permissions

Set all listed endpoints to ALLOW. Methods required: GET and POST.

Design Environment

Base path: /external-api/api/<tenant>/<installation>/design/

Endpoint

Methods

Purpose

metadata/v1/entities/formats/yaml

GET, POST

Fetch and push entity YAML

metadata/v1/entities/formats/yaml/schema

GET

Fetch YAML JSON Schema

metadata/v1/packages/formats/json

GET, POST

Fetch and push config packages (schedules, templates)

metadata/v1/graphql

POST

Package discovery, entity metadata enrichment

code/v1/preview

GET

SQL code preview for pushed entities

deployment/v1/commits

GET, POST

Create and check deployment commits

pingpong/v1

GET

Connectivity test

When creating API-keys in Admin UI set appropriate authorization rules. Create separate authorization rules for POST and GET.

For example, adding POST commands for example tenant s1234567 and installation datahub:

/external-api/api/s1234567/datahub/design/metadata/v1/entities/formats/yaml
/external-api/api/s1234567/datahub/design/metadata/v1/packages/formats/json
/external-api/api/s1234567/datahub/design/metadata/v1/graphql
/external-api/api/s1234567/datahub/design/deployment/v1/commits

And separate rule for GET:

/external-api/api/s1234567/datahub/design/metadata/v1/entities/formats/yaml
/external-api/api/s1234567/datahub/design/metadata/v1/entities/formats/yaml/schema
/external-api/api/s1234567/datahub/design/metadata/v1/packages/formats/json
/external-api/api/s1234567/datahub/design/code/v1/preview
/external-api/api/s1234567/datahub/design/deployment/v1/commits
/external-api/api/s1234567/datahub/design/pingpong/v1

Runtime Environments

Base path: /external-api/api/<tenant>/<installation>/<env>/

Endpoint

Methods

Purpose

dagger/v2/dags/*/dag-runs

GET, POST

Trigger DAGs and check run status

pingpong/v1

GET

Connectivity test

Follow the same rules as for Design-environment, and add separate authorization rules POST and GET.

For example, adding POST for dev environment:

/external-api/api/s1234567/datahub/dev/dagger/v2/dags/*/dag-runs

And separate rule for dev environment GET:

/external-api/api/s1234567/datahub/dev/dagger/v2/dags/*/dag-runs
/external-api/api/s1234567/datahub/dev/pingpong/v1

Minimal vs Full Access

If you want to restrict ADA to read-only operations (pull only, no push):

  • Allow GET on all endpoints

  • Allow POST on graphql endpoints

  • Deny POST on metadata/v1/entities/formats/yaml (blocks push)

  • Deny POST on deployment/v1/commits (blocks commits)

  • Deny POST on dagger/v2/dags/*/dag-runs (blocks DAG triggers)