API keys allow your backend servers to interact with Fluxrate without user authentication. They are scoped to specific operations for security.
Scopes
| Scope | Description |
|---|
usage.write | Track usage events, generate widget tokens |
usage.read | Read usage data |
Creating an API Key
- Go to API Keys in the sidebar
- Click Create API Key
- Give it a descriptive name (e.g., “Production Backend”)
- Select required scopes
- Click Create
- Copy the key immediately — it’s only shown once
curl -X POST https://api.fluxrate.co/api/v1/api-keys \
-H "Content-Type: application/json" \
-H "Cookie: access_token=<token>" \
-d '{
"name": "Production Backend",
"scopes": ["usage.write"]
}'
{
"id": "...",
"name": "Production Backend",
"key": "org_live_abc123xyz...",
"scopes": ["usage.write"],
"status": "ACTIVE",
"created_at": "2025-01-01T00:00:00Z"
}
The key value is shown only once at creation time. If you lose it, delete the key and create a new one.
Listing API Keys
Note: The key secret is never returned in list responses — only the key ID, name, scopes, and status.
Deleting an API Key
DELETE /api/v1/api-keys/<key_id>
401 Unauthorized response.
Security Best Practices
- Least privilege — Only grant the scopes your integration actually needs
- Environment variables — Store keys in environment variables, never in code
- Rotate regularly — Delete and recreate keys periodically
- Per-environment — Use separate keys for development, staging, and production
- Monitor — Watch for unexpected usage patterns
Keys follow the format: org_live_<random> for production keys. 
