The Flowy API uses secret keys for authentication. A key belongs to a workspace, and every run you start with it is billed to that workspace.
Create a key
Open API keys settings
In the app, go to Settings → API keys (the API page). You’ll need to be a workspace owner or editor.
Create the key
Click Create API key, give it a name, and optionally set a daily spend cap and rate limit under Advanced options.
Copy it now
Your key (it looks like flw_sk_…) is shown once. Copy it and store it in a secrets manager or server environment variable — you won’t be able to see it again.
Treat a secret key like a password. Keep it on your server — never commit it to source control or expose it in a browser or other client‑side code.
Authenticate a request
Send the key as a Bearer token in the Authorization header on every request:
export FLOWY_API="https://apis.tryflowy.ai/genstudio-svc-v2/api/v1"
export FLOWY_KEY="flw_sk_..."
curl "$FLOWY_API/apps" \
-H "Authorization: Bearer $FLOWY_KEY"
const BASE = "https://apis.tryflowy.ai/genstudio-svc-v2/api/v1";
const KEY = process.env.FLOWY_KEY; // "flw_sk_..."
const res = await fetch(`${BASE}/apps`, {
headers: { Authorization: `Bearer ${KEY}` },
});
const { data } = await res.json();
import os, requests
BASE = "https://apis.tryflowy.ai/genstudio-svc-v2/api/v1"
KEY = os.environ["FLOWY_KEY"] # "flw_sk_..."
res = requests.get(f"{BASE}/apps", headers={"Authorization": f"Bearer {KEY}"})
data = res.json()["data"]
401 Unauthorized.
Protecting your keys
Because a leaked key spends your workspace credits, every key supports three safeguards (set them when you create or edit a key):
| Safeguard | What it does |
|---|
| Daily spend cap | Once the key has spent its cap (credits/day), new runs are rejected with 402 until the next UTC day. Bounds the damage from a leak. |
| Rate limit | Caps requests per minute for the key (default applies if unset). Excess requests get 429. |
| Revoke | Disables the key immediately. The Last used column helps you spot a key that’s behaving unexpectedly. |
Your workspace’s available credit balance is always the final backstop: when it reaches zero, runs stop regardless of any cap.
