Skip to main content

Overview

Flowra API endpoints that support API key authentication accept your project API key via header. Create and manage keys in the dashboard under Project → API Keys.

API key authentication

Send your API key in one of these ways: 
curl -X GET "https://flowra.dev/api/v1/users/profile" \
  -H "x-api-key: YOUR_API_KEY"

Option 2: Authorization Bearer

curl -X GET "https://flowra.dev/api/v1/users/profile" \
  -H "Authorization: Bearer YOUR_API_KEY"
Replace YOUR_API_KEY with your actual project API key.

Optional: x-username header

For endpoints that support it, you can send x-username to act in the context of an external user (e.g. in multi-tenant apps). Send the same username you use in the external-users API. This header is optional. 
curl -X GET "https://flowra.dev/api/v1/external-users" \
  -H "x-api-key: YOUR_API_KEY" \
  -H "x-username: end_user_alice"

Which endpoints use API keys?

Endpoints that support API key auth are marked in the API reference. They use the x-api-key security scheme. Examples:
  • UsersGET /api/v1/users/profile
  • Tools — list, get by ID, execute, execution logs
  • Auth configs — list, create, get, update, delete
  • Trigger instances — list, upsert, manage status
  • Connected accounts — list, link, get, delete
  • LLMPOST /api/v1/ai/llm/generate, POST /api/v1/ai/llm/chat
  • MCP — MCP-related endpoints
Other endpoints (for example login/register) may use different auth (e.g. session or OAuth) and are not covered by the API key flow above.

Security

Do not expose API keys. Do not commit them to version control, log them, or send them from client-side or public apps. Use environment variables or a secrets manager.
If you need to rotate a key, create a new key in the dashboard, update your app, then revoke the old key.

Next steps