API Key Management
This page explains how to obtain and manage the API keys required to use the Report Flow API.
Obtaining API Keys
1. Create a Workspace
Log in to the Report Flow admin panel (https://re-port-flow.com) and create a new workspace.
The application key is generated automatically when the workspace is created.
2. Check API Integration Information
Open the workspace details screen → "API Keys" tab to see the following:
- API URL:
https://api.re-port-flow.com/(copy button available) - Application Key:
ak_xxxxxxxxxxxxxxxx(copy button available)
Click the copy button on the right side of each item to copy the value to the clipboard.
One application key per workspace
Each workspace is bound to a single application key. The key can be regenerated periodically.
Managing API Keys
Inspecting the key
You can check the current application key information from the "API Keys" tab on the workspace details screen:
- API URL:
https://api.re-port-flow.com/(copyable) - Application Key:
ak_xxxxxxxxxxxxxxxx(copyable) - Last Rotation Date:
2024-02-14
Security Recommendations
Manage with environment variables
Recommended: keep the API key in environment variables, never hard-coded in source.
# .env file
REPORT_FLOW_APP_KEY=ak_xxxxxxxxxxxxxxxx
// Usage
const appKey = process.env.REPORT_FLOW_APP_KEY;
Add to .gitignore
# Exclude files containing API keys from Git
.env
.env.local
.env.production
secrets.json
Rotate periodically
For improved security, we recommend regenerating the application key every 3 months.
A warning is shown in the "API Keys" section of the workspace details screen if more than 90 days have passed since the last rotation.
UI rotation steps:
- Open the workspace details screen → "API Keys" tab
- Click "Regenerate Application Key"
- Confirm in the modal
- Copy the displayed new key and apply it in your application
- Verify the application still works
API rotation:
curl -X POST \
https://api.re-port-flow.com/v1/workspace/{workspaceId}/application-token/regenerate \
-H 'Authorization: Bearer {access_token}' \
-H 'Content-Type: application/json'
Response example:
{
"applicationKey": "ak_xxxxxxxxxxxxxxxx",
"lastRotatedAt": "2024-02-14T10:30:00.000Z"
}
When the application key is regenerated, the old key is invalidated immediately. To avoid downtime, propagate the new key to your application configuration as quickly as possible.
Security
Report Flow API keys are managed with industry-standard security measures:
- Application keys are stored encrypted
- All API operations are recorded in audit logs
- Only HTTPS communication is supported; plain text is rejected
For maximum security we recommend periodic key rotation (every 3 months).
Production security requirements
For HTTPS / TLS version requirements, see Authentication overview.
Other best practices
Storing the API key
- Keep it in environment variables, never hard-coded
- Add
.envto.gitignore - Prefer a secret manager (AWS Secrets Manager, etc.)
Access control
- Issue API keys only to the workspaces that actually need them
- Regenerate keys immediately when no longer needed
- Audit access logs periodically
For limits and quotas, see the Limitations page.
Troubleshooting
Regenerating the application key
The application key is visible in the "API Keys" tab of the admin panel. If it's not visible, issue a new key as follows:
- Open the workspace details screen → "API Keys" tab
- Click "Regenerate Application Key"
- Confirm the regeneration in the modal
- Copy the displayed new key
- Update your application configuration with the new key
When the key isn't working
Check the following:
- The
appkeyheader is set correctly - The application key has been copied without truncation
- The key is active (verify in the admin panel)
- The header name is
appkey(lowercase)