Authentication
All API requests require authentication via API keys.
When should I read this?
Read this if you're integrating with the Floatless API and need to understand how to authenticate your requests.
API keys
Floatless uses API keys for authentication. Each key has:
- Key ID — public identifier (starts with
fl_) - Secret — private value (only shown once)
- Environment — test or live
Getting your API keys
- Go to Settings → API Keys
- Click "Create API Key"
- Copy the secret immediately — it won't be shown again
- Store securely
Using API keys
Include your API key in the Authorization header:
Authorization: Bearer fl_live_abc123...
Example request
curl https://api.floatless.com/v1/customers \
-H "Authorization: Bearer fl_live_abc123..."
Test vs. Live keys
| Environment | Key prefix | Purpose |
|---|---|---|
| Test | fl_test_ |
Development, testing |
| Live | fl_live_ |
Production |
- Test keys access test data only
- Live keys access production data
- Keep environments completely separate
Security best practices
- Never expose in client code — API keys are server-side only
- Environment variables — store in
.env, not source code - Rotate regularly — especially if compromised
- Minimal permissions — use scoped keys when available
Rate limits
API requests are rate limited:
| Tier | Requests/minute |
|---|---|
| Standard | 100 |
| Pro | 500 |
| Enterprise | Custom |
Exceeding limits returns 429 Too Many Requests.
Error responses
| Code | Meaning |
|---|---|
| 401 | Invalid or missing API key |
| 403 | Key doesn't have permission |
| 429 | Rate limit exceeded |