API Reference
Authentication
Secure your API requests using Bearer token authentication with API keys.
Overview
The Flametalk API uses API keys to authenticate requests. API keys are scoped to your workspace and provide full access to all resources within that workspace. You can create multiple API keys for different applications or environments.
Key Format
API keys follow the format: sk_<prefix>_<secret>
sk_live_...— Production keyssk_test_...— Test/development keys
Using API Keys
Include your API key in the Authorization header as a Bearer token:
curl -X GET "https://dev.flametalk.ai/v1/agents" \ -H "Authorization: Bearer sk_live_xxxxxxxxxxxxxxxx"Creating API Keys
Generate keys from your workspace settings.
- 1
Navigate to Settings
From your dashboard, click Settings in the sidebar.
- 2
Open API Keys
Select the API Keys tab.
- 3
Generate New Key
Click Generate New Key and enter a descriptive name (e.g., “Production App” or “Development”).
- 4
Copy Your Key
Copy the key immediately—it won't be displayed again after you leave the page.
Keep your API key secret
Your API key provides full access to your workspace. Never commit keys to version control, share them in client-side code, or expose them publicly.
Security Best Practices
Protect your API keys and your users' data.
Use Environment Variables
Store API keys in environment variables, never in code:
# .env file (never commit this!)FLAMETALK_API_KEY=sk_live_xxxxxxxxxxxxxxxxUse Separate Keys for Environments
Create different API keys for development, staging, and production. This limits blast radius if a key is compromised.
Rotate Keys Periodically
Generate new keys periodically and revoke old ones. This ensures any leaked keys have limited lifetime.
Server-Side Only
Never use API keys in client-side JavaScript. Always make API calls from your backend server.
Revoking API Keys
Immediately disable compromised or unused keys.
If you believe an API key has been compromised, or if it's no longer needed, revoke it immediately:
- Go to Settings → API Keys
- Find the key you want to revoke
- Click the Revoke button
- Confirm the revocation
Revocation is immediate
Revoked keys will stop working instantly. All API requests using the revoked key will return 401 Unauthorized.
Authentication Errors
When authentication fails, the API returns one of these errors:
| Status | Error Code | Description |
|---|---|---|
| 401 | UNAUTHORIZED | Missing or invalid Authorization header |
| 401 | INVALID_API_KEY | The API key is invalid or has been revoked |
| 429 | RATE_LIMITED | Too many requests—slow down |
Example Error Response
{ "success": false, "error": { "code": "UNAUTHORIZED", "message": "Invalid or missing API key" }}Rate Limits
API requests are subject to rate limits. See Rate Limits for details on limits and best practices.