API Key Management
This page explains how to obtain and manage API keys required to use the Report Flow API.
Obtaining API Keys
1. Create a Workspace
Log in to the Report Flow admin panel (https://re-port-flow.com) and create a new workspace.
An application token (App Key + Secret Key) is automatically generated when creating a workspace.
2. Check API Integration Information
Open the workspace details screen → "API Integration" tab to view the following information:
- Workspace ID:
ws-abc123...(copy button available) - API URL:
https://ws-abc123.api.re-port-flow.com/(copy button available) - Application Key:
app_xxxxxxxxxxxxxxxx(copy button available) - Secret Key:
********(hidden for security, copy button available)
Click the copy button on the right side of each item to copy the value to clipboard.
Initial Display of Secret Key
The secret key is only displayed in plain text immediately after workspace creation. Be sure to save it in a secure location.
If lost, you can issue a new key using the "Regenerate Secret Key" function, but the old key will be immediately invalidated.
API Key Management
Checking Keys
You can check current application token information in the "API Integration" tab of the workspace details screen:
- Workspace ID: Unique ID for each workspace (copyable)
- API URL:
https://{workspaceId}.api.re-port-flow.com/(copyable) - Application Key:
app_xxxxxxxxxxxxxxxx(copyable) - Secret Key:
********(hidden for security, copyable) - Last Rotation Date:
2024-02-14
One Application Token Per Workspace
Each workspace has one application token, which cannot be deleted or disabled. For security, only the secret key can be periodically regenerated.
Security Recommendations
Environment Variable Management
Recommended: Manage API keys in environment variables, not hardcoded in code
# .env file
REPORT_FLOW_WORKSPACE_ID=550e8400-e29b-41d4-a716-446655440000
REPORT_FLOW_APP_KEY=app_xxxxxxxxxxxxxxxx
REPORT_FLOW_SECRET_KEY=sec_xxxxxxxxxxxxxxxx
// Usage example
const workspaceId = process.env.REPORT_FLOW_WORKSPACE_ID;
const appKey = process.env.REPORT_FLOW_APP_KEY;
const secretKey = process.env.REPORT_FLOW_SECRET_KEY;
Add to .gitignore
# Exclude files containing API keys from Git
.env
.env.local
.env.production
secrets.json
Regular Rotation
For improved security, we recommend regenerating secret keys every 3 months.
A warning will be displayed in the "API Integration" section of the workspace details screen if more than 90 days have passed since the last rotation.
UI Regeneration Steps:
- Open workspace details screen → "API Integration" tab
- Click "Regenerate Secret Key" button
- Execute regeneration in confirmation modal
- Copy the displayed new secret key to a secure location (cannot be displayed again after closing this screen)
- Update application settings with new secret key
- Test functionality
API Regeneration Method:
curl -X POST \
https://{workspaceId}.api.re-port-flow.com/v1/workspace/{workspaceId}/application-token/regenerate \
-H 'Authorization: Bearer {access_token}' \
-H 'Content-Type: application/json'
Response example:
{
"applicationKey": "app_xxxxxxxxxxxxxxxx",
"secretKey": "new_sec_yyyyyyyyyyyyyyyy",
"lastRotatedAt": "2024-02-14T10:30:00.000Z"
}
When regenerating a secret key, the old secret key is immediately invalidated. We recommend updating application settings before executing regeneration.
Security
Report Flow API keys are securely managed using industry-standard security measures:
- Secret keys are stored encrypted
- All API operations are recorded in audit logs
- Only HTTPS communication is supported; plain text communication is not accepted
For maximum security, we recommend regular key rotation (every 3 months).
Troubleshooting
If You Lose Your Secret Key
Secret keys cannot be redisplayed. Follow these steps:
- Open workspace details screen → "API Integration" tab
- Click "Regenerate Secret Key" button
- Execute regeneration in confirmation modal
- Copy the displayed new secret key (cannot be displayed again after closing this screen)
- Update application settings with new secret key
The application key (App Key) can continue to be used. Only the secret key is changed.
If Keys Don't Work
Check the following:
- AppKey and SecretKey are correctly copied
- Keys are activated (check in admin panel)
- Subdomain matches Workspace ID
- Header names are
AppKeyandSecretKey(case-sensitive)