Skip to main content
The Flowyte API has two authentication modes that both resolve to the same tenant-scoped identity, so a key can never reach another organization’s data.

Secret API keys (server-to-server)

For your backend and for agents building against the API, use a secret key:
Authorization: Bearer flowyte_sk_…
Your API key already determines the organization — no extra headers are needed.
The first key is minted in the dashboard’s Developer page (a chicken-and-egg bootstrap). Manage your keys — mint, rotate, and revoke — in the dashboard Developer page.

Browser sessions

The dashboard authenticates with a session token. You won’t use this directly when building against the API — it’s how the builder UI talks to the same endpoints your key does.

Publishable keys (the chat widget)

The embeddable chat widget authenticates in the browser with a publishable key (flowyte_pk_…). It is agent-pinned, origin-allowlisted, and limited to public chat — safe to ship in client-side code.

Scopes

Secret keys carry scopes that gate which operations they can call. Request only what you need. Common scopes:
ScopeGrants
agents:read / agents:writeRead or modify agents, simulate, mint a talk token
knowledge:writeAdd and manage knowledge sources
skills:writeCreate and configure skills
pubkeys:writeMint publishable keys for the widget
numbers:writeSearch, reserve, and assign phone numbers
billing:read / billing:writeRead the wallet / manage credits and plans
analytics:readRead post-call analytics and conversations
The authoritative scope list is the Scope enum in the API Reference.
Some endpoints documented in the contract are reserved (planned ahead of release). Calling one returns a 403, not a 404. If a correctly-scoped call returns 403, check whether the endpoint is marked reserved.