Skip to main content

Overview

Flowise uses API keys for authentication. API keys allow you to securely access your chatflows and other resources programmatically without exposing your credentials.
API keys are sensitive credentials. Keep them secure and never commit them to version control.

Authentication Methods

Flowise supports the following authentication methods:
  1. Bearer Token Authentication - Primary method for API access
  2. Chatflow-specific API Keys - Scoped access to individual chatflows

Creating an API Key

Via Flowise UI

  1. Log in to your Flowise instance
  2. Navigate to SettingsAPI Keys
  3. Click Add New
  4. Provide a descriptive name for your key
  5. Select the required permissions
  6. Click Create
  7. Copy the generated API key immediately (it won’t be shown again)
API keys are only displayed once upon creation. Store them securely in a password manager or secure vault.

Via API

You can also create API keys programmatically: 
curl -X POST http://localhost:3000/api/v1/apikey \
  -H "Authorization: Bearer YOUR_ADMIN_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "keyName": "My API Key",
    "permissions": [
      "chatflows:view",
      "chatflows:update",
      "predictions:create"
    ]
  }'

Using API Keys

Bearer Token Authentication

Include your API key in the Authorization header using the Bearer scheme: 
curl http://localhost:3000/api/v1/chatflows \
  -H "Authorization: Bearer YOUR_API_KEY"

Query Parameter Authentication

For prediction endpoints, you can also pass the API key as a query parameter: 
curl -X POST "http://localhost:3000/api/v1/prediction/{chatflowId}?apikey=YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "question": "Hello, how are you?"
  }'
Using API keys in query parameters is less secure as they may be logged in server access logs. Use Bearer token authentication when possible.

API Key Permissions

API keys can be assigned specific permissions to limit their access scope. Common permissions include:
PermissionDescription
chatflows:viewView chatflows and their configurations
chatflows:createCreate new chatflows
chatflows:updateUpdate existing chatflows
chatflows:deleteDelete chatflows
agentflows:viewView agent flows
agentflows:createCreate new agent flows
agentflows:updateUpdate existing agent flows
agentflows:deleteDelete agent flows
predictions:createSend messages to chatflows
apikeys:viewView API keys
apikeys:createCreate new API keys
apikeys:updateUpdate existing API keys
apikeys:deleteDelete API keys
Permissions follow a hierarchical structure. The update permission typically includes view access.

Managing API Keys

List All API Keys

Retrieve all API keys in your workspace: 
curl http://localhost:3000/api/v1/apikey \
  -H "Authorization: Bearer YOUR_API_KEY"

Update an API Key

Update the name or permissions of an existing API key: 
curl -X PUT http://localhost:3000/api/v1/apikey/{keyId} \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "keyName": "Updated Key Name",
    "permissions": [
      "chatflows:view",
      "predictions:create"
    ]
  }'

Delete an API Key

Revoke an API key when it’s no longer needed: 
curl -X DELETE http://localhost:3000/api/v1/apikey/{keyId} \
  -H "Authorization: Bearer YOUR_API_KEY"
Deleting an API key is permanent and will immediately revoke access for any applications using that key.

Chatflow-Specific API Keys

Each chatflow can have its own API key for scoped access. To retrieve a chatflow using its specific API key: 
curl http://localhost:3000/api/v1/chatflows/apikey/{apikey} \
  -H "Authorization: Bearer YOUR_API_KEY"

Authentication Errors

401 Unauthorized

Occurs when:
  • API key is missing
  • API key is invalid or expired
  • API key doesn’t have permission to access the resource
{
  "error": "Unauthorized access. Please verify your API key."
}
Solution: Verify your API key is correct and has the necessary permissions.

403 Forbidden

Occurs when:
  • API key is valid but lacks required permissions
  • Resource is restricted to specific workspace or organization
Solution: Update the API key permissions or contact your administrator.

Best Practices

Use Environment Variables

Store API keys in environment variables, never hardcode them in your source code.
const API_KEY = process.env.FLOWISE_API_KEY;

Rotate Keys Regularly

Periodically rotate your API keys to minimize security risks.

Use Minimal Permissions

Grant API keys only the permissions they need (principle of least privilege).

Monitor Usage

Regularly audit API key usage and revoke unused or compromised keys.

Security Recommendations

  1. Never share API keys - Each application or user should have their own key
  2. Use HTTPS in production - Always use TLS/SSL encryption for API requests
  3. Implement key rotation - Regularly rotate keys and revoke old ones
  4. Monitor for breaches - Set up alerts for unusual API activity
  5. Limit key scope - Use chatflow-specific keys when possible
  6. Store securely - Use secure vaults or secret management services

Example: Complete Authentication Flow

Here’s a complete example of creating an API key and using it to interact with a chatflow: 
// Step 1: Create an API key (requires admin access)
const createKeyResponse = await fetch('http://localhost:3000/api/v1/apikey', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer YOUR_ADMIN_TOKEN',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    keyName: 'Production Bot',
    permissions: ['chatflows:view', 'predictions:create']
  })
});

const { apiKey } = await createKeyResponse.json();

// Step 2: Use the API key to send a message
const predictionResponse = await fetch(
  'http://localhost:3000/api/v1/prediction/your-chatflow-id',
  {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${apiKey}`,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      question: 'Hello, how can you help me?'
    })
  }
);

const result = await predictionResponse.json();
console.log('AI Response:', result.text);

Next Steps

API Overview

Learn about API endpoints and response formats

API Reference

Explore detailed endpoint documentation

Build docs developers (and LLMs) love

Get started for freeTalk to us