Secret API keys (server-to-server)
For your backend and for agents building against the API, use a secret key:Your API key already determines the organization — no extra headers are needed.
Browser sessions
The dashboard authenticates with a session token. You won’t use this directly when building against the API — it’s how the builder UI talks to the same endpoints your key does.Publishable keys (the chat widget)
The embeddable chat widget authenticates in the browser with a publishable key (flowyte_pk_…). It is agent-pinned, origin-allowlisted, and limited to public chat — safe to
ship in client-side code.
Scopes
Secret keys carry scopes that gate which operations they can call. Request only what you need. Common scopes:| Scope | Grants |
|---|---|
agents:read / agents:write | Read or modify agents, simulate, mint a talk token |
knowledge:write | Add and manage knowledge sources |
skills:write | Create and configure skills |
pubkeys:write | Mint publishable keys for the widget |
numbers:write | Search, reserve, and assign phone numbers |
billing:read / billing:write | Read the wallet / manage credits and plans |
analytics:read | Read post-call analytics and conversations |
Scope enum in the API Reference.
Some endpoints documented in the contract are reserved (planned ahead of release). Calling
one returns a
403, not a 404. If a correctly-scoped call returns 403, check whether the
endpoint is marked reserved.