Authentication
The Flashpoint.AI API uses bearer-token authentication over HTTPS. There are no cookies, no signed requests, and no session state.
API keys
Every request must include an Authorization header:
Authorization: Bearer fp_live_...
Keys are issued from the dashboard and are scoped to a single workspace. Treat them like passwords — never commit one to a repo or paste one into client-side code.
Key prefixes
| Prefix | Purpose |
|---|---|
fp_live_ | Production traffic |
fp_test_ | Sandbox traffic — separate billing/data |
Scopes
Scopes restrict what a key can do. Set them at key creation time.
| Scope | Allows |
|---|---|
read | GET on datasets and queries |
write | POST, PATCH, DELETE |
admin | Workspace and member management |
A key with read cannot create or modify resources. Mint short-lived write keys for build pipelines and rotate them on a schedule.
Rotating keys
curl -X POST https://api.flashpoint.ai/v1/keys/rotate \
-H "Authorization: Bearer $FLASHPOINT_API_KEY"
The old key remains valid for 60 minutes after rotation to give deployments time to drain.
Revoking keys
Revoke from the dashboard or via the API. Revocation is immediate; in-flight requests under the revoked key will return 401.