Skip to main content
The Flowlix API authenticates every request with a secret API key sent as a Bearer token: 
curl https://api.flowlix.dev/v1/payments \
  -H "Authorization: Bearer api_test_sk_abc123def456"
Requests without a valid key return 401 Unauthorized with an authentication_error body. See Errors.

API keys

You manage API keys in the Developers section of the Merchant Portal. Each key belongs to exactly one merchant account and one mode:
PrefixModeBehavior
api_test_sk_TestPayments are simulated end to end. No real cards are charged. Use test cards.
api_live_sk_LiveReal payments with real funds.
Test and live mode share the same API host — the mode is determined entirely by the key you send. Objects created in one mode are invisible to keys of the other mode, and every API object carries a livemode boolean so you can always tell them apart.

Key security

Secret keys grant full access to your merchant account: creating payments, reading payment data, and issuing refunds. Treat them like passwords.
  • Call the API only from your backend. Never expose secret keys in browsers, mobile apps, or client-side code.
  • Store keys in a secrets manager or environment variables, never in source control.
  • Rotate keys from the Merchant Portal if you suspect a leak. Revoked keys stop working immediately and requests with them return 401.

Common authentication errors

HTTPerror.typeMeaningFix
401authentication_errorKey missing, malformed, expired, or revokedSend Authorization: Bearer <key> with a current key
403authentication_errorKey is valid but not allowed to perform this operation, or the resource belongs to the other modeUse the right key for the resource’s mode and merchant account