API Authentication
The ReportFlow API supports two authentication methods: API keys for server-to-server communication and OAuth tokens for user-context requests. Choose the method that fits your integration.
API Keys
Static secrets for backend integrations and scripts.
OAuth Tokens
Short-lived tokens scoped to a specific user session.
Using API keys
API keys are ideal for backend scripts, cron jobs, or integrations that don't run in a user's browser. Generate a key in Settings → API → Create Key. You'll see the key once—copy it and store it securely. Include the key in the Authorization header:
Keys are scoped to your organization and inherit the role of the user who created them (usually Admin). You can revoke a key at any time from the same settings page.
Using OAuth tokens
For applications that act on behalf of a user (e.g., a custom dashboard), use OAuth. ReportFlow supports the Authorization Code flow. After the user authorizes your app, you receive an access token and refresh token. Include the access token in the same Authorization header:
Access tokens expire after 1 hour. Use the refresh token to obtain a new access token without requiring the user to re-authorize.
Security best practices
- Store API keys in environment variables, never in code.
- Rotate keys periodically and revoke any that may have been exposed.
- Use OAuth for client-side applications to avoid exposing static secrets.
- Enable IP allowlisting for API keys when possible (Enterprise plan).
Next steps
- Explore available endpoints in REST API Endpoints.
- Set up event-driven integrations in Webhooks.
- Understand usage limits in Rate Limits.