Authentication
Report Flow API uses header-based authentication.
Authentication Mechanism
All API requests require the following two headers:
AppKey: your-application-key
SecretKey: your-secret-key
Workspace Validation
The subdomain of the API endpoint must match your workspace ID:
Base URL: https://{workspaceId}.re-port-flow.com/v1
Example:
- Workspace ID:
550e8400-e29b-41d4-a716-446655440000 - Endpoint:
https://550e8400-e29b-41d4-a716-446655440000.re-port-flow.com/v1
Authentication Errors
If authentication fails, the following errors are returned:
401 Unauthorized
{
"statusCode": 401,
"message": "Invalid credentials",
"error": "Unauthorized"
}
Cause:
- Invalid AppKey or SecretKey
- Subdomain and workspaceId mismatch
412 Precondition Failed
{
"statusCode": 412,
"message": "Missing authentication headers",
"error": "Precondition Failed"
}
Cause:
- Missing AppKey or SecretKey header
Security Best Practices
1. Secure API Key Storage
// ❌ Bad: Hardcoded in source code
const API_KEY = 'hardcoded-key';
// ✅ Good: Use environment variables
const API_KEY = process.env.REPORT_FLOW_APP_KEY;
const SECRET_KEY = process.env.REPORT_FLOW_SECRET_KEY;
2. Use HTTPS
All API requests must use HTTPS. HTTP requests are not accepted.
3. Key Rotation
Regularly regenerate API keys and invalidate old keys.
4. Scope Limitation
Use different API keys for production and development environments to separate access.
Sample Code
cURL
curl -X POST https://550e8400.re-port-flow.com/v1/file/sync/single \
-H "AppKey: your-app-key" \
-H "SecretKey: your-secret-key" \
-H "Content-Type: application/json" \
-d '{...}'
JavaScript
const headers = {
'AppKey': process.env.REPORT_FLOW_APP_KEY,
'SecretKey': process.env.REPORT_FLOW_SECRET_KEY,
'Content-Type': 'application/json'
};
Python
import os
headers = {
'AppKey': os.environ['REPORT_FLOW_APP_KEY'],
'SecretKey': os.environ['REPORT_FLOW_SECRET_KEY'],
'Content-Type': 'application/json'
}