Authentication
Report Flow API supports two authentication methods: appkey header authentication and OAuth 2.0 / OpenID Connect. Choose the one that fits your use case.
When to use which
| Use case | Recommended method |
|---|---|
| Single-workspace automation (cURL, internal batch jobs) | appkey header |
| Server-to-server integration (backend → Report Flow) | OAuth 2.0 Client Credentials |
| Per-user authorization (Make.com, third-party SaaS, personal apps) | OAuth 2.0 Authorization Code + PKCE |
See OAuth 2.0 Authentication for the OAuth flows. This page covers the appkey method.
appkey method
Send the appkey header (lowercase) on every request:
appkey: your-application-key
API endpoint
Base URL: https://api.re-port-flow.com/v1
Examples:
- Single PDF generation:
https://api.re-port-flow.com/v1/file/sync/single - Design parameters:
https://api.re-port-flow.com/v1/file/design/parameter/{designId}
Authentication Errors
If authentication fails, the following errors are returned:
401 Unauthorized
{
"statusCode": 401,
"message": "認証情報が不正です",
"error": "Unauthorized"
}
(The server returns the message in Japanese; it translates to "Invalid credentials".)
Cause:
- The
appkeyheader is invalid or has been revoked
412 Precondition Failed
{
"statusCode": 412,
"message": "認証方式ヘッダーが存在しません",
"error": "Precondition Failed"
}
(The server returns the message in Japanese; it translates to "Authentication header is missing".)
Cause:
- The
appkeyheader is missing
Security Best Practices
1. Secure API Key Storage
// ❌ Bad: Hardcoded in source code
const APP_KEY = 'hardcoded-key';
// ✅ Good: Use environment variables
const APP_KEY = process.env.REPORT_FLOW_APP_KEY;
2. Use HTTPS
All API requests must use HTTPS. HTTP requests are not accepted.
3. Key Rotation
Regularly regenerate API keys and invalidate old keys.
4. Scope Limitation
Use different API keys for production and development environments to separate access.
Sample Code
cURL
curl -X POST https://api.re-port-flow.com/v1/file/sync/single \
-H "appkey: your-application-key" \
-H "Content-Type: application/json" \
-d '{...}'
JavaScript
const headers = {
'appkey': process.env.REPORT_FLOW_APP_KEY,
'Content-Type': 'application/json'
};
Python
import os
headers = {
'appkey': os.environ['REPORT_FLOW_APP_KEY'],
'Content-Type': 'application/json'
}
OAuth 2.0 Authentication
For server-to-server integrations or per-user authorization, use OAuth 2.0 instead of appkey.
- Authorization Code + PKCE: User authorization flow for Make.com, custom apps, etc.
- Client Credentials: Server-to-server integration from your backend to Report Flow
See OAuth 2.0 Authentication for details.