Authentication
API keys, Bearer tokens, and how scoping works.
On this page
Every Public API request needs an API key. Create one in the dashboard: Settings → API keys.
Bearer auth
Send your key in the Authorization header:
Authorization: Bearer fmk_…Token fmk_… also works. No cookies. No session tokens from the dashboard.
Key format
Keys start with fmk_ followed by 32 random bytes (base64url-encoded). FlowMock stores only a hash; we can't recover a lost key.
Org-wide vs project-scoped
| Key type | Project param | Use case |
|---|---|---|
| Org-wide | Required on every call | One key for all projects in CI |
| Project-scoped | Inferred from key | Simpler calls for a single project |
Pass project as a query parameter or in the PUT request body (slug, not id).
If a project-scoped key receives a different project slug → 403 scope_mismatch.
Environment scoping
Environment = your proxy endpoint slug (e.g. staging).
- Single-endpoint projects: environment is auto-selected
- Multi-endpoint projects: pass
environmenton every call, or get422 environment_required
Rate limits
120 requests per 60 seconds per API key in production.
Exceed the limit → 429 rate_limited. Space out polling if you're fetching logs in a loop.
Plan requirement
Public API requires Team or Business plan. Free and Dev plans get 403 plan_required.
Key management
Create, list, and revoke keys in the dashboard — not via the Public API. Max 25 active keys per org.
Related
- API overview — base URL and quick start
- Sessions — where you'll use the key
- Errors —
unauthorized,plan_required,scope_mismatch