API Keys
API Keys are available to Reseller and Agency accounts only.
API keys enable programmatic access to Flavor Hub without needing to manage JWT token lifecycles. They're ideal for automated workflows, CI/CD pipelines, and custom integrations.
Key Format
fh_live_<40 random hex characters>
Example: fh_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
Creating an API Key
Via Portal
- Go to API Keys in your portal
- Click Create API Key
- Enter a name for the key (e.g., "Production Server", "CI Pipeline")
- Click Create
- Copy the key immediately — it's shown only once
Via API
curl -X POST https://admin.flavorteam.dev/api/v1/portal/api-keys \
-H "Authorization: Bearer eyJ..." \
-H "Content-Type: application/json" \
-d '{"name": "My Integration"}'
Response:
{
"id": 1,
"name": "My Integration",
"prefix": "a1b2c3d4",
"raw_key": "fh_live_a1b2c3d4...",
"created_at": "2026-03-30T10:00:00Z"
}
The raw_key is returned only at creation time. Store it securely. If lost, revoke the key and create a new one.
Using an API Key
Pass the key in the X-API-Key header:
curl -H "X-API-Key: fh_live_a1b2c3d4..." \
https://admin.flavorteam.dev/api/v1/portal/licenses
Limits
- Maximum 10 active keys per account
- Keys can be revoked but not edited
Viewing Keys
The API Keys page shows:
| Field | Description |
|---|---|
| Name | Human-readable label |
| Prefix | First 8 characters (for identification) |
| Active | Whether the key is active or revoked |
| Last Used | Timestamp of last successful authentication |
| Created | Creation date |
Revoking a Key
Via Portal
Click Revoke next to the key you want to disable. The key is immediately invalidated.
Via API
curl -X DELETE https://admin.flavorteam.dev/api/v1/portal/api-keys/{key_id} \
-H "Authorization: Bearer eyJ..."
Revoked keys cannot be reactivated. Create a new key if needed.
Security Best Practices
- Never commit API keys to version control
- Use environment variables to store keys in your applications
- Create separate keys for different environments (development, staging, production)
- Revoke unused keys promptly
- Monitor "Last Used" to detect unauthorized usage
- Rotate keys periodically — revoke old keys and create new ones
Accessible Endpoints
API keys provide access to license and client management:
| Endpoint | Method | Description |
|---|---|---|
/api/v1/portal/licenses | GET | List all your licenses |
/api/v1/portal/licenses | POST | Create a single license |
/api/v1/portal/licenses/bulk | POST | Create up to 100 licenses |
/api/v1/portal/licenses/{id}/reactivate | POST | Reactivate a revoked license |
/api/v1/portal/clients | GET | List all sub-clients |
/api/v1/portal/clients | POST | Create a sub-client |
/api/v1/portal/clients/{id} | DELETE | Delete a sub-client |
/api/v1/portal/clients/{id}/licenses | GET | Get a client's licenses |
All other portal endpoints (subscriptions, profile, tickets, etc.) require JWT Bearer authentication.