Authentication
All FlowStack API requests require authentication using a Bearer token.
Generating an API Key
- Log in to app.onflowstack.com
- Go to Settings → API Keys
- Click + Create API Key
- Enter a descriptive name (e.g., "Production Backend", "CI/CD Pipeline")
- Select the scope:
- Read — Can only read data (flows, runs, connections)
- Write — Can create, update, and delete resources
- Admin — Full access including team management
- Click Create
- Copy the key immediately — it won't be shown again
Using Your API Key
Include the API key in the Authorization header of every request:
curl -X GET https://app.onflowstack.com/api/v1/flows \
-H "Authorization: Bearer fs_live_abc123def456..."
JavaScript/TypeScript
const response = await fetch('https://app.onflowstack.com/api/v1/flows', {
headers: {
'Authorization': 'Bearer fs_live_abc123def456...',
'Content-Type': 'application/json',
},
});
const data = await response.json();
Python
import requests
headers = {
'Authorization': 'Bearer fs_live_abc123def456...',
'Content-Type': 'application/json',
}
response = requests.get('https://app.onflowstack.com/api/v1/flows', headers=headers)
data = response.json()
API Key Prefixes
| Prefix | Environment |
|---|---|
fs_live_ | Production API key |
fs_test_ | Test/sandbox API key |
Key Management
Rotating Keys
- Create a new key with the same permissions
- Update your applications to use the new key
- Verify everything works
- Delete the old key
Revoking Keys
- Go to Settings → API Keys
- Find the key to revoke
- Click Revoke
- The key is immediately invalidated — all requests using it will return
401 Unauthorized
Security Best Practices
- Never expose keys in client-side code — API keys should only be used server-side
- Use environment variables — Store keys in
FLOWSTACK_API_KEYenv var, not in code - Limit scope — Use read-only keys when write access isn't needed
- Rotate regularly — Replace keys every 90 days
- Monitor usage — Check API usage in Settings to detect unauthorized access