Account & Security
Manage API keys
Generate, rotate, and revoke API keys for integrations and the public REST API.
Last updated 2026-04-26
API keys authenticate calls to the public REST API at /api/v1 and
to integrations you build yourself.
Generate a key
Go to Settings → API Keys → New Key.
- Name - a description of the integration (e.g. "Zapier production", "internal reporting"). This shows up in audit logs alongside any action the key takes.
- Expiry - 30 days, 90 days, 1 year, or never. Pick the shortest window that works for your integration.
The full key is shown once - copy it now. We store only a SHA-256 hash, so we cannot recover the raw key later.
Use the key
Pass it as the X-API-Key header on every request:
GET /api/v1/clients HTTP/1.1
Host: client-flow.in
X-API-Key: cf_YOUR_KEY_HERE
The full API spec is at /api/openapi.json - import into Postman, Insomnia, or generate a typed SDK.
Rate limits and quotas
Each key gets:
- 1,000 requests per minute sliding window. Exceed it and you get a 429 response; wait a few seconds and retry.
- Monthly call counter visible in the API Keys table. Resets on the 1st of each month.
Rotate on schedule
Best practice: rotate keys every 90 days. The flow:
- Generate the new key.
- Deploy the new key to your integration.
- Verify it's working (check the Last Used timestamp).
- Revoke the old key.
Revoking
Click Revoke on a key to stop it working immediately. There's no grace period. Use Delete to also remove it from the table - the audit trail of past actions stays.
What to do if a key leaks
If a key ends up in a public repository or screenshot:
- Revoke it immediately from the API Keys page.
- Generate a fresh key.
- Audit recent activity at Admin → Audit Logs - filter by the key's prefix to see what was done.
- If the leak exposed customer data, follow your incident response playbook.