Skip to main content

Authentication

Most Flexweg API endpoints are authenticated with an API key passed as an HTTP header. There are two types of keys, designed for different use cases.

The X-API-Key header

Whatever the key type, you always send it the same way:

HTTP header
X-API-Key: d30ae92f6497999faaa0979ea2813dea1929691be8ccc52d6bc55a68ebb222a1

Key types

TypeHeaderWhen to use
PermanentX-API-KeyServer automation, CI/CD, long-running integrations that manage files on a specific site.
TemporaryX-API-KeyShort-lived access — typically handed to an AI agent. Valid 1 hour by default, up to 24 hours max.

Both key types are interchangeable at call time — the endpoint only checks validity and scope.

Where do I get a permanent key?

Log in to your Flexweg account and open Account → API. Generate a key for the site you want to automate, and store it somewhere secure.

Treat your key like a password

A permanent key gives full access to your site's files. Never commit it to git, never paste it in a public issue, never ship it to the browser.

Generating a temporary key

If you want to delegate access to an AI agent for a single session, create a temporary key via the dedicated endpoint. This requires user authentication (you must be logged in to generate it).

POST /api/keys/generate-temp

Request
curl -X POST https://www.flexweg.com/api/keys/generate-temp \
  -H "Content-Type: application/json" \
  -d '{
    "storage_folder_id": 1,
    "expires_in": 3600
  }'

Body parameters

FieldTypeDescription
storage_folder_idinteger (required)ID of the site the key should grant access to.
expires_ininteger (optional)Lifetime in seconds. Default 3600 (1 hour), max 86400 (24 hours).

The response contains the newly generated key. Pass it to whichever client needs it, and the key automatically becomes invalid at the end of its lifetime.

Hand temporary keys to AI agents

Temporary keys are the recommended way to let an AI assistant (Claude, ChatGPT, an MCP client) edit your site. If the agent leaks the key, the blast radius is limited to 24 hours at most.

Errors

A missing or invalid key produces a structured response:

401 Unauthorized
{
  "error": "Unauthorized",
  "message": "Invalid or missing API key",
  "hint_for_ai": "Ask the user: 'I need an API key to access your files...'"
}

The hint_for_ai field is specifically designed for AI agents — it's a ready-made prompt they can show the end user to recover from a missing credential.

Rate limits

The public publish endpoint is rate-limited by IP address. Authenticated endpoints follow your plan's quota (see Files → upload for storage and file-count limits).