πŸ”‘ API Authentication

Get your Secret Keys to authenticate your API Calls. Secure API Call with Domain whitelisting.

πŸ“˜

Prerequisites

Step 1: Access your API Keys

After creating your account, our system will automatically generate for you three pairs of :

  • API ID
  • API SECRET KEY (you have to store it safely)

❗️

API KEY LEAKS

If you believe one of your API keys has been compromised, you should immediately revoke it.

Each one of these keys has a different level of permissions. They are intended for different use cases.

PermissionsUse CaseAPI SECRET KEY (ask)
WriteTo send data to the HrFlow.ai API.
For FRONTEND and BACKEND.
Starts with askw_
ReadTo get data from the HrFlow.ai API. For BACKEND.Starts with askr_
Read & WriteTo get/send data from/to the HrFlow.ai API.
For BACKEND.
Starts with ask_

❗️

Exposing an API Key with a Read permission

If you use an API Key with Read permission in an exposed website, you should whitelist the domain where you use it to avoid personal data leaks.

1600

Settings > API > Keys

Step 2: Whitelist your domains & Secure your data

Domain whitelisting in HrFlow.ai is a security model that controls access to outside domains. The default security policy is to allow all external API calls. The developers can limit the access to specific network domains and subdomains by declaring them.

Step 3: Authenticate your API requests

API calls requires at least:

  • an HrFlow.ai API ENDPOINT_URL
  • a METHOD such as GET, POST, PATCH, PUT, DELETE.
    The HrFlow.ai requests are authenticated using two HTTP headers called :
  • X-API-KEY: pass your API Secret Key to it (ex: DEMO_KEY)
  • X-USER-EMAIL: pass your email used to sign in to the HrFow.ai Portal (ex: [email protected])
curl --request METHOD --url ENDPOINT_URL -header "X-API-Key: DEMO_KEY" --header "X-USER-EMAIL:[email protected]"

What’s Next