Get started

Authentication

FlashML public API requests authenticate with workspace API keys. Keys are displayed once, stored hashed, and can be revoked from the workspace.

Send an API key

Bearer token

Authorization: Bearer flashml_sk_...

API key header

X-API-Key: flashml_sk_...

Use one authentication method per request. Keep API keys in trusted server-side environments and never expose them in browser code or mobile clients.

Operational guidance

Environment isolation

Use separate keys for development, staging, and production services.

Multiple keys

Create separate keys for separate services so each integration can be rotated or revoked independently.

Rotation

Create a replacement key, deploy it, verify traffic, then revoke the old key.

Revocation

Revoked keys stop authenticating immediately and return 401 on public API requests.

FlashML shows a key value only when it is created. Store it in a server-side secret manager and use the key name or description to identify which service owns it.