Authentication
The Competiflow API uses API keys sent as Bearer tokens. There is no OAuth flow for the public v1 API.
API keys
Create keys in the dashboard: Settings → API keys → Create key.
Each key is shown once at creation:
sk_live_a1b2c3d4e5f6...
Keys are stored as SHA256 digests. If you lose a key, revoke it and create a new one.
Authorization header
Include the key on every request:
Authorization: Bearer sk_live_your_key_here
Example:
curl https://api.competiflow.com/v1/workspaces \
-H "Authorization: Bearer sk_live_your_key_here"
Scoping
API keys belong to your user account. All list/show/create operations are scoped to resources you own. You cannot access another user's workspace, competitor, monitor, or change by ID.
Rate limits
Each key inherits your plan's per-minute rate limit. See Rate limits.
Errors
| Status | Code | Meaning |
|---|---|---|
| 401 | unauthorized |
Missing, malformed, or revoked key |
{
"error": {
"code": "unauthorized",
"message": "Invalid or missing API key"
}
}
Security tips
- Do not commit keys to git or expose them in client-side code.
- Use environment variables (
COMPETIFLOW_API_KEY) in scripts and CI. - Revoke unused keys promptly.