Get started
Authentication
FlashML public API requests authenticate with workspace API keys. Keys are displayed once, stored hashed, and can be revoked from the workspace.
Send an API key
Bearer token
Authorization: Bearer flashml_sk_...API key header
X-API-Key: flashml_sk_...Use one authentication method per request. Keep API keys in trusted server-side environments and never expose them in browser code or mobile clients.
Operational guidance
Environment isolation
Use separate keys for development, staging, and production services.
Multiple keys
Create separate keys for separate services so each integration can be rotated or revoked independently.
Rotation
Create a replacement key, deploy it, verify traffic, then revoke the old key.
Revocation
Revoked keys stop authenticating immediately and return 401 on public API requests.
FlashML shows a key value only when it is created. Store it in a server-side secret manager and use the key name or description to identify which service owns it.