Getting Started

Authentication

Authentication

All Slotflow API requests require authentication via an API key passed as a Bearer token in the Authorization header.

API key format

Slotflow API keys use the sk_live_ prefix followed by a random string:

sk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Making authenticated requests

Include your API key in the Authorization header of every request:

$curl https://api.slotflow.dev/v1/humans \
>  -H "Authorization: Bearer sk_live_your_api_key"
1const response = await fetch("https://api.slotflow.dev/v1/humans", {
2  headers: {
3    "Authorization": "Bearer sk_live_your_api_key",
4  },
5});
1response = requests.get(
2    "https://api.slotflow.dev/v1/humans",
3    headers={"Authorization": "Bearer sk_live_your_api_key"},
4)

Getting your API key

  1. Sign in to the Slotflow Dashboard
  2. Your API key is displayed on the Overview page
  3. Click the eye icon to reveal the full key, then copy it

One key per organization

Each Slotflow organization has a single API key. All humans, bookings, and webhooks created with that key are scoped to your organization. There is no way for one API key to access another organization’s data.

Regenerating your key

If your API key is compromised:

  1. Go to the Dashboard Overview
  2. Click Regenerate API Key
  3. Confirm the action (this is destructive)

The old key is invalidated immediately. Any requests using the old key will receive a 401 UNAUTHORIZED error. Update your agent’s configuration with the new key right away.

Error response

Requests without a valid API key receive:

1{
2  "error": {
3    "code": "UNAUTHORIZED",
4    "message": "Missing or invalid API key.",
5    "status": 401
6  }
7}

Security best practices

  • Never hardcode API keys in source code. Use environment variables instead.
  • Never commit keys to version control. Add .env files to .gitignore.
  • Rotate keys if leaked. Regenerate immediately from the dashboard if a key is exposed in a public repository, log file, or error message.
  • Use server-side only. Never expose your API key in client-side code (browser JavaScript, mobile apps). All Slotflow API calls should be made from your backend.
  • One key, one environment. Don’t share a key between production and development environments.
$# Good — environment variable
$export SLOTFLOW_API_KEY="sk_live_your_api_key"
1// Good — read from environment
2const apiKey = process.env.SLOTFLOW_API_KEY;
3
4const response = await fetch("https://api.slotflow.dev/v1/humans", {
5  headers: { "Authorization": `Bearer ${apiKey}` },
6});