Skip to main content

Authentication

The Flowlix API uses Bearer token authentication. Every API request must include your secret API key in the Authorization header.

Making authenticated requests

Include your API key in the Authorization header using the Bearer scheme: 
curl https://api.flowlix.eu/v1/payments \
  -H "Authorization: Bearer fl_test_sk_abc123def456"

API key types

Flowlix provides two types of secret keys:
Key prefixEnvironmentPurpose
fl_test_sk_Test modeDevelopment and testing. No real charges are made.
fl_live_sk_Live modeProduction. Real money is moved.
Both key types work identically with the API. The only differences are:
  • Test keys never create real charges or contact payment networks.
  • Live keys process real payments against real cards.
  • Payments created with a test key have "livemode": false in the response.
  • Payments created with a live key have "livemode": true.

Finding your keys

  1. Log in to the Flowlix Dashboard.
  2. Navigate to Settings > API Keys.
  3. Copy the key you need (test or live).
Your secret API key grants full access to your Flowlix account. Never share it publicly, commit it to version control, or include it in client-side code.

Key security best practices

  • Store keys in environment variables — never hardcode them in source files.
  • Use test keys in development — switch to live keys only in production deployments.
  • Rotate keys periodically — you can generate new keys in the Dashboard without downtime.
  • Restrict key permissions — use the Dashboard to limit what each key can do (coming soon).

Authentication errors

If the API key is missing, malformed, or revoked, the API returns a 401 Unauthorized response: 
{
  "error": {
    "type": "authentication_error",
    "code": "invalid_api_key",
    "message": "Invalid API key provided. Check that your API key is correct and active.",
    "param": null,
    "decline_code": null,
    "doc_url": "https://docs.flowlix.eu/api-reference/authentication",
    "request_id": "req_abc123def456"
  }
}

Custom headers

In addition to Authorization, the API supports these optional headers:
HeaderDescription
Flowlix-VersionPin a specific API version (e.g., 2026-07-01). Defaults to your account’s version.
Idempotency-KeyEnsure write requests are processed exactly once. See Idempotency.
Flowlix-Request-IdReturned in every response. Use it when contacting support.