Authentication
Overview
All API requests require a Bearer token in the Authorization header.
Format: Authorization: Bearer sk_live_…
- Keys use the
sk_live_prefix. - Your first key is generated at signup and shown once — it cannot be retrieved again.
- Create additional keys with
POST /v1/api-keys. - Deactivate a key with
POST /v1/api-keys/{id}/deactivate.
Correct vs incorrect headers
✓
Authorization: Bearer sk_live_abc123…✗
Authorization: sk_live_abc123… — missing Bearer✗
Authorization: Bearer — missing keyHTTP 401
Invalid or missing credentials typically return 401 Unauthorized. When the body follows the public error envelope, it looks like this:
{
"error": {
"type": "unauthorized",
"message": "Invalid API key",
"code": "unauthorized"
}
}Some edge cases (e.g. malformed Authorization header) may return a plain text or non-JSON detail from the framework — always check status code first.
Rate limits
- Beta: there is no aggressive global rate limit; each API key may have a configurable requests-per-minute ceiling.
- Your wallet balance is the main spend guardrail.
- Need higher throughput? Contact hello@flopex.ai.