> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flowyte.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API keys, scopes, and the two ways requests authenticate.

The Flowyte API has two authentication modes that both resolve to the same tenant-scoped
identity, so a key can never reach another organization's data.

## Secret API keys (server-to-server)

For your backend and for agents building against the API, use a **secret key**:

```
Authorization: Bearer flowyte_sk_…
```

<Note>
  Your API key already determines the organization — no extra headers are needed.
</Note>

The first key is minted in the dashboard's **Developer** page (a chicken-and-egg bootstrap).
Manage your keys — mint, rotate, and revoke — in the dashboard Developer page.

## Browser sessions

The dashboard authenticates with a session token. You won't use this directly when building
against the API — it's how the builder UI talks to the same endpoints your key does.

## Publishable keys (the chat widget)

The embeddable chat widget authenticates in the browser with a **publishable key**
(`flowyte_pk_…`). It is agent-pinned, origin-allowlisted, and limited to public chat — safe to
ship in client-side code.

## Scopes

Secret keys carry **scopes** that gate which operations they can call. Request only what you
need. Common scopes:

| Scope                            | Grants                                             |
| -------------------------------- | -------------------------------------------------- |
| `agents:read` / `agents:write`   | Read or modify agents, simulate, mint a talk token |
| `knowledge:write`                | Add and manage knowledge sources                   |
| `skills:write`                   | Create and configure skills                        |
| `pubkeys:write`                  | Mint publishable keys for the widget               |
| `numbers:write`                  | Search, reserve, and assign phone numbers          |
| `billing:read` / `billing:write` | Read the wallet / manage credits and plans         |
| `analytics:read`                 | Read post-call analytics and conversations         |

The authoritative scope list is the `Scope` enum in the [API Reference](/api-reference/introduction).

<Note>
  Some endpoints documented in the contract are **reserved** (planned ahead of release). Calling
  one returns a `403`, not a `404`. If a correctly-scoped call returns `403`, check whether the
  endpoint is marked reserved.
</Note>
