Skip to main content
Every Runflow API request must include your API key in the x-api-key HTTP header. Requests without a valid key return 401 Unauthorized.

Base URL

https://api.runflow.io
All endpoints live under /api/v1/....

The x-api-key header

HeaderTypeRequiredDescription
x-api-keystringYour Runflow API key

Example

curl -X POST https://api.runflow.io/api/v1/images/score \
  -H "x-api-key: YOUR_API_KEY" \
  -F "image=@/path/to/photo.jpg"
In code, always read your key from an environment variable or secret manager — never commit it to source control.

Getting an API key

API keys are currently issued per customer. Talk to the founders and they’ll set you up with credentials and help you plan your integration.

Security best practices

  • Never commit keys to Git. Put RUNFLOW_API_KEY in .env, your CI secrets, or a secret manager.
  • Never expose keys to the browser. Runflow API calls should originate from your backend, not from client-side JavaScript. If you need a browser flow, proxy the call through your server.
  • Rotate keys periodically. If you suspect a key is leaked, ask for a rotation and update your secret store.
  • Use separate keys per environment. Keep staging and production keys distinct so you can revoke one without breaking the other.
  • Watch rate-limit and error metrics. Sudden spikes in 401s or 4xxs often mean a leaked or misconfigured key.

What’s next

Quickstart

Make your first authenticated call.

Webhooks

How async endpoints deliver results back to your app.