Authentication
Choose the right credential for backend API calls and browser embeds.
Fluo uses different credentials for different trust boundaries.
| Credential | Where it belongs | Use it for |
|---|---|---|
| Secret API key | Your server or trusted backend jobs | Running agents, streaming threads, uploads, and other authenticated API calls. |
| Publishable embed key | Browser widget snippets | Public chat embeds for a specific published agent. |
| User session token | Fluo dashboard clients | Interactive platform access for signed-in users. |
Secret API Keys
Send secret API keys in the x-api-key header.
curl https://api.fluo.one/api/v1/agents/agent_123/run \
-X POST \
-H "content-type: application/json" \
-H "x-project-id: project_123" \
-H "x-api-key: $FLUO_API_KEY" \
-d '{"query":"Hello"}'
Required Headers
| Header | Required | Description |
|---|---|---|
x-api-key | Yes for secret-key API calls | Authenticates the request. |
x-project-id | Yes | Selects the project for the request. |
content-type | Yes for JSON bodies | Use application/json. |
Publishable Embed Keys
Browser embeds should use publishable keys. These keys are not broad secrets. They should be scoped to:
- One agent or an explicit agent allowlist.
- One set of allowed domains.
- A small public endpoint surface.
- Rate limits and spend caps.
See Public Embed Keys for the complete model.
Key Handling Rules
- Store secret API keys in environment variables or your secret manager.
- Never put secret API keys in frontend code.
- Rotate keys if they are exposed.
- Use separate keys for development, staging, and production.
- Use descriptive labels so you can revoke one integration without disrupting others.