Platform
Administration

API Keys

Create and manage API keys for external integrations

API keys allow external systems to authenticate with Flint. Manage keys in Settings API Keys.

How API Key Permissions Work

API keys use the same permission system as regular users. The difference is how permissions are assigned:

  • Users — Permissions come from assigned roles
  • API Keys — Permissions are set directly when creating the key

This means an API key can do anything a user with the same permissions could do.

Creating an API Key

Open API Key Settings

Go to Settings API Keys Create Key.

Name the Key

Use a descriptive name indicating its purpose:

  • Production - ERP Integration
  • Development - Testing
  • Zapier Connection

Set Permissions

Choose what the key can do:

Full Access — Grants all permissions (equivalent to *:*)

Granular Permissions — Select specific permissions by resource:

  • Workflows (read, create, update, delete, run)
  • Templates (read, create, update, delete)
  • Interventions (read, handle, assign)
  • And more...

Permissions are grouped by resource, matching the same structure used for user roles.

Set Expiration (Optional)

Choose when the key expires:

  • Never — Manual revocation only
  • Custom date — Specific expiration date

Create and Copy

Click Create. Copy the key immediately — it won't be shown again.

Using API Keys

Include your API key in the Authorization header:

curl -X GET "https://steel.flint.com/workflows" \
  -H "Authorization: Bearer your-api-key-here"

Or with specific clients:

const response = await fetch('https://steel.flint.com/workflows', {
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json'
  }
});

Managing Keys

Viewing Keys

The API Keys list shows:

  • Key name and partial key
  • Permissions (displayed as badges)
  • Created date
  • Last used
  • Expiration status

Revoking Keys

  1. Find the key
  2. Click the menu Revoke
  3. Confirm

Revoked keys stop working immediately. Any integration using the key will fail.

Key Rotation

Best practice is to rotate keys periodically:

Create New Key

Create a new key with the same permissions.

Update Integrations

Update all systems using the old key to use the new one.

Verify

Confirm integrations work with the new key.

Revoke Old Key

Once everything is migrated, revoke the old key.

Permission Examples

Monitoring dashboard — Read-only access:

  • workflows:read
  • runs:read

Automation system — Run workflows only:

  • workflows:run
  • runs:read

Full integration — Everything:

  • Full Access (*:*)

Security Best Practices

  • One key per integration — Easier to revoke without affecting others
  • Minimal permissions — Only grant permissions actually needed
  • Never commit keys — Use environment variables or secrets managers
  • Rotate regularly — Limit exposure time if compromised
  • Monitor usage — Check "last used" for unexpected activity

Troubleshooting

IssueCauseSolution
401 UnauthorizedInvalid or revoked keyCheck key is correct and not revoked
403 ForbiddenMissing required permissionAdd necessary permission to key
Key not workingKey expiredCreate new key with fresh expiration
Rate limitedToo many requestsImplement backoff, contact support for higher limits

Two-Factor Authentication

Add an extra layer of security with 2FA

Usage

Track your organization's usage metrics

On this page

How API Key Permissions WorkCreating an API KeyOpen API Key SettingsName the KeySet PermissionsSet Expiration (Optional)Create and CopyUsing API KeysManaging KeysViewing KeysRevoking KeysKey RotationCreate New KeyUpdate IntegrationsVerifyRevoke Old KeyPermission ExamplesSecurity Best PracticesTroubleshooting