This document explains the restrictions and permission requirements for using the Kubera API.
Kubera API keys can have different permission levels and restrictions:
- Read-only vs Update permissions
- IP address restrictions
- Rate limits
Read-only API keys can:
- ✅ List portfolios (
GET /api/v3/data/portfolio) - ✅ Get portfolio details (
GET /api/v3/data/portfolio/{id}) - ❌ Update items (
POST /api/v3/data/item/{id})
Update-enabled API keys can:
- ✅ List portfolios
- ✅ Get portfolio details
- ✅ Update items
Some API keys may be restricted to specific IP addresses.
Symptoms:
- 401 Authentication errors despite correct credentials
- Works from one location but not another
Resolution:
- Verify your current IP address
- Contact Kubera support to add your IP to the allowlist
- Consider using a VPN if working from multiple locations
The library provides helpful error messages to identify permission issues:
Authentication failed: [error message].
Check: 1) Credentials are correct, 2) IP address is allowed (some API keys have IP restrictions)
Possible causes:
- Invalid API key or secret
- IP address not in allowlist
Permission denied: [error message].
Note: Update operations require an API key with update permissions enabled.
Read-only API keys cannot modify data.
Possible causes:
- Using read-only API key for update operations
- API key lacks required permissions
Rate limit exceeded: [error message].
Limits: 30 req/min, 100/day (Essential) or 1000/day (Black)
Possible causes:
- Exceeded requests per minute
- Exceeded daily request limit
The CLI includes warnings about permissions:
NOTES:
- Update operations require API keys with update permissions enabled
- Some API keys may be IP address restricted
IMPORTANT: This command requires an API key with UPDATE PERMISSIONS enabled.
Read-only API keys will fail with a 403 error.
When using the Python library, handle permissions gracefully:
from kubera import KuberaClient, KuberaAPIError
client = KuberaClient()
try:
# This works with read-only keys
portfolios = client.get_portfolios()
# This requires update permissions
client.update_item("item_id", {"value": 50000})
except KuberaAPIError as e:
if e.status_code == 401:
print("Authentication failed - check credentials and IP restrictions")
elif e.status_code == 403:
print("Permission denied - API key needs update permissions")
elif e.status_code == 429:
print("Rate limit exceeded - wait before retrying")-
Use Read-Only Keys for Read Operations
- Minimize security risk by using read-only keys when updates aren't needed
- Only use update-enabled keys when necessary
-
Monitor Rate Limits
- Track your API usage
- Implement exponential backoff for 429 errors
- Cache responses when appropriate
-
Handle IP Restrictions
- Document allowed IP addresses
- Test from all required locations
- Plan for IP changes (static IPs, VPN solutions)
-
Error Handling
- Always catch and handle permission errors gracefully
- Provide clear feedback to users about permission requirements
- Log errors for debugging
-
Verify credentials are correct:
echo $KUBERA_API_KEY echo $KUBERA_SECRET
-
Check your IP address:
curl ifconfig.me
-
Test with the connection script:
python test_connection.py
-
Verify your API key has update permissions (contact Kubera support)
-
Use read-only operations to verify credentials work:
kubera list # Should work with any key -
Try update with a different API key if available
- Check current usage
- Wait for rate limit window to reset
- Implement request throttling in your code:
import time for item in items: client.update_item(item['id'], updates) time.sleep(2) # Wait 2 seconds between requests
For issues related to:
- Enabling update permissions on your API key
- Adding IP addresses to allowlist
- Increasing rate limits
Contact Kubera support through your account dashboard.