Authentication
The Flow Relay REST API authenticates every request with a bearer API key. There is no OAuth flow for the API – you create a key in the dashboard and send it in the Authorization header.
Bearer header
curl "https://www.flowrelay.it/api/v1/projects" \
-H "Authorization: Bearer fr_your_api_key"Keys are prefixed with fr_ followed by 32 bytes of randomness. Only a SHA-256 hash is stored server-side; the raw key is shown once at creation and can never be retrieved again.
Creating, rotating, and revoking keys
Manage keys in Settings → API Keys:
- Create – generates a new key and reveals it once. Copy it immediately.
- Revoke – deletes the key. Any request using it then returns
401. - Rotate – create a new key, update your clients, then revoke the old one. There is no forced expiry, so rotate on your own schedule.
The key inherits your tenant access. It can only read and generate within projects you can access, with the same role you hold.
Rate limits
API requests are limited to 60 requests per minute, per key. Exceeding the limit returns 429 Too Many Requests. AI generation endpoints additionally share a per-user generation limiter (10/min) across keys and the dashboard.
{ "error": "Too many requests. Please wait a moment and try again." }Back off and retry after a short delay. For high-volume reads, cache results and spread requests across the minute.
Error responses
| Status | Meaning |
|---|---|
401 | Missing or invalid Authorization header. |
404 | The project or resource is not accessible by this key. |
429 | Rate limit exceeded – back off and retry. |
See Errors for the structured error_code values returned by failed generations.