API keys & bearer tokens

Two senses of "API key" in Flero:

Keys for external services, stored as credentials, used by connector / HTTP nodes to authenticate outgoing calls.
Flero's own API keys, let external code call into Flero (trigger workflows, fetch executions, manage resources programmatically).

Keys for external services

For services that don't do OAuth (or where you prefer not to), most accept an API key passed in a header, query parameter, or Authorization header.

Creating one as a credential

Settings → Credentials → Add credential.
Pick the service.
Auth type: API key or Bearer token (the picker shows which the service supports).
Fields you'll fill in:
- Key value, the secret itself.
- Header name, where to send it (e.g. Authorization, X-API-Key). Pre-filled per service.
- Header prefix, e.g. Bearer or Token . Some services need none.
- Or, query parameter, for services that take the key in the URL.
Test connection, verifies by making a no-op call.
Save.

Using in a node

In any node that supports a credential field, pick the credential. The node injects the key into the right header / query param automatically.

For the generic HTTP Request node, you can use an API-key credential the same way, the request will include the configured header.

Rotation

Generate a new key in the external service's dashboard, then Edit the credential → paste the new value → Save. Workflows continue uninterrupted.

Flero's own API keys

Used to call Flero from external code, trigger workflows, fetch results, manage resources from CI pipelines, etc.

Creating one

Settings → Credentials → API keys (sub-tab) → Generate new API key.
Choose:
- Name, what's it for ("CI deploy hook").
- Scopes, which API surfaces it can call. Combine from: executions:read, executions:write, workflows:read, workflows:write, credentials:read, …
- Workflows, All or a specific allow-list.
- Expiration, optional. Recommended for service accounts.
Click Generate.
Copy the key immediately, it's shown once, then hashed. If you lose it, you have to generate a new one.

Using

Send as an Authorization: Bearer <key> header on Flero's API:

curl https://app.flero.ai/api/workflows/<id>/run \
  -H "Authorization: Bearer flero_sk_..." \
  -H "Content-Type: application/json" \
  -d '{"input": {"foo": "bar"}}'

Full API reference is at /api-docs inside the app (or https://app.flero.ai/api-docs).

Revoking

Same screen, find the key row → Revoke. The hash is removed; any further use returns 401. Audit shows when the key was last used.

Scoping principles

One key per consumer. Don't share a key between two CI pipelines, when one is compromised, both get revoked.
Narrow scopes. A pipeline that only runs a specific workflow should have executions:write on that workflow only.
Expire by default. Set an expiration even if you intend to renew, it's a forcing function for rotation.

Bearer tokens (the in-between case)

"Bearer token" can mean:

A short-lived OAuth access token, handled automatically as part of an OAuth credential.
A long-lived personal access token (PAT), created in the service, used like an API key. Stored in Flero as an "API key" credential with header Authorization: Bearer <token>.

Both flavours work identically once stored.

Tips & gotchas

Test keys after rotating. The most common rotation failure is pasting an old key by mistake. Click Test before relying on it.
Never log API keys. Flero doesn't, but if you compose a header in a Code node and then Log the result, you'll leak it. Reference credentials by ID; let Flero handle header construction.
Workspace API keys ≠ user tokens. A Flero API key acts as the workspace, with the scopes you granted. It doesn't impersonate a specific user. For per-user actions, use a different auth flow.
Self-hosted instances generate keys with the prefix configured by an admin, defaults to flero_sk_. The format is flero_sk_<random_chars>; treat as sensitive.

Managing credentials
Manual & test runs, calling Flero externally
Security & MFA

Found something out of date? This page lives in the Flero docs content set.