Authentication
Complete guide to authenticating with the Flow API.
API Keys
Flow API uses API key authentication. All requests to /v1/* endpoints require a valid API key.
Getting Your API Key
- Log in to your Flow dashboard
- Navigate to Settings → API Keys
- Click Create API Key
- Give it a descriptive name
- Copy the key immediately - it's only shown once!
API Key Format
flow_sk_live_<prefix>_<secret>
Example: flow_sk_live_abc12345_xyz78901234567890abcdefghijklmnopqrstuvwxyz
Using Your API Key
Include your API key in the Authorization header:
curl https://api.flow.dev/v1/channels \
-H "Authorization: Bearer flow_sk_live_abc12345_xyz789..."
Using SDKs
SDKs handle authentication automatically:
TypeScript:
import { Flow } from '@flowdev/sdk';
const flow = new Flow('flow_sk_live_abc12345_xyz789...');
Python:
from flow_sdk import Flow
flow = Flow(api_key='flow_sk_live_abc12345_xyz789...')
Go:
import "github.com/flowdev/go-sdk"
client := flow.NewClient("flow_sk_live_abc12345_xyz789...")
API Key Permissions
API keys can have specific permissions:
posts:read- Read postsposts:write- Create/update/delete postschannels:read- Read channelschannels:write- Create/update/delete channelsconnections:read- Read connectionsconnections:write- Manage connectionswebhooks:read- Read webhookswebhooks:write- Manage webhooksapi-keys:read- Read API keysapi-keys:write- Manage API keysanalytics:read- Read analyticsmedia:read- Read mediamedia:write- Upload/delete media
When creating an API key, you can specify which permissions it should have. By default, new keys have all permissions.
Creating a Scoped API Key
const { apiKey } = await flow.apiKeys.create({
name: 'Read-only Key',
permissions: ['posts:read', 'channels:read'],
});
Security Best Practices
1. Never Commit API Keys
# ❌ Never commit .env files
git add .env
# ✅ Add to .gitignore
echo ".env" >> .gitignore
2. Use Environment Variables
// ✅ Use environment variables
const apiKey = process.env.FLOW_API_KEY;
3. Use Different Keys for Different Environments
const apiKey = process.env.NODE_ENV === 'production'
? process.env.FLOW_API_KEY_PROD
: process.env.FLOW_API_KEY_DEV;
4. Rotate Keys Regularly
- Delete unused keys
- Create new keys periodically
- Monitor key usage
5. Use Least Privilege
Only grant necessary permissions:
// ✅ Scoped key for specific use case
const readOnlyKey = await flow.apiKeys.create({
name: 'Monitoring Key',
permissions: ['posts:read', 'analytics:read'],
});
Error Responses
Invalid API Key (401)
{
"error": {
"type": "authentication_error",
"message": "Invalid API key",
"code": "INVALID_API_KEY"
}
}
Solutions:
- Check that your API key is correct
- Ensure the
Authorizationheader is formatted correctly - Verify the API key hasn't been revoked
Missing API Key (401)
{
"error": {
"type": "authentication_error",
"message": "API key required",
"code": "MISSING_API_KEY"
}
}
Solutions:
- Include the
Authorizationheader in your request - Format:
Authorization: Bearer flow_sk_live_...
Insufficient Permissions (403)
{
"error": {
"type": "authorization_error",
"message": "Insufficient permissions",
"code": "INSUFFICIENT_PERMISSIONS",
"details": [
{
"field": "permission",
"message": "Required permission: posts:write"
}
]
}
}
Solutions:
- Check your API key permissions
- Create a new API key with the required permissions
Testing Authentication
Test your API key with a simple request:
curl https://api.flow.dev/v1/health \
-H "Authorization: Bearer flow_sk_live_..."
A successful response confirms your API key is valid.
Next Steps
- Learn about Rate Limits
- Understand Error Handling
- Explore API Reference Overview