Fluxrate uses two authentication mechanisms depending on the context:
| Mechanism | Used For | How |
|---|
| JWT Cookies | Dashboard & all management APIs | access_token HttpOnly cookie |
| API Keys | SDK usage tracking & widget tokens | X-API-Key header |
JWT Cookie Authentication
Login
curl -X POST https://api.fluxrate.co/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "you@yourcompany.com",
"password": "your-password"
}'
access_token — Short-lived JWT (15 minutes by default)refresh_token — Long-lived token (7 days by default)
Making Authenticated Requests
Browsers automatically send cookies. For programmatic access:
curl -X GET https://api.fluxrate.co/api/v1/customers \
-H "Cookie: access_token=eyJ..."
Refreshing the Access Token
When the access token expires, use the refresh token:
curl -X POST https://api.fluxrate.co/api/v1/auth/refresh \
-H "Cookie: refresh_token=abc123..."
access_token cookie.
Logout
Clears both cookies.
Signup
curl -X POST https://api.fluxrate.co/api/v1/auth/signup \
-H "Content-Type: application/json" \
-d '{
"email": "you@yourcompany.com",
"password": "secure-password",
"organization_name": "Acme Corp"
}'
API Key Authentication
API keys are for server-to-server integration — primarily usage tracking from your backend.
Required Scope
| Endpoint | Required Scope |
|---|
POST /sdk/track | usage.write |
GET /usage | usage.read |
POST /widget/token | usage.write |
Usage
curl -X POST https://api.fluxrate.co/api/v1/sdk/track \
-H "Content-Type: application/json" \
-H "X-API-Key: org_live_abc123..." \
-d '{
"meter_token": "...",
"customer_external_id": "cust_123",
"quantity": 1
}'
Managing API Keys
Create and manage API keys in Dashboard → API Keys or via the API:
# Create
POST /api/v1/api-keys
# List
GET /api/v1/api-keys
# Delete
DELETE /api/v1/api-keys/<key_id>
API key secrets are shown only once at creation time. Store them securely in environment variables — never commit them to source code.
