Authentication & scopes
Every API request uses a bearer key in the Authorization header. The key type
depends on the surface you are calling.
| Surface | Scheme | Header | Use |
|---|---|---|---|
| Storefront | PublishableKeyAuth |
Authorization: Bearer flow_pk_... |
Browser-safe public reads |
| Management | SecretKeyAuth |
Authorization: Bearer flow_sk_... |
Server-only back-office reads and writes |
Storefront keys
Storefront uses a publishable key (flow_pk_...). It is designed for websites:
safe to include in browser code, read-only, and limited to public studio data.
Storefront operations in the current spec:
| Operation | Path |
|---|---|
| storefrontGetConfig | GET /v1/config |
| storefrontGetSite | GET /v1/site |
| storefrontListClasses | GET /v1/classes |
| storefrontListInstructors | GET /v1/instructors |
| storefrontListPlans | GET /v1/plans |
| storefrontGetPolicies | GET /v1/policies |
Management keys
Management uses a secret key (flow_sk_...). It is server-only. Store it in your
server environment or a secrets manager, never in a browser bundle, mobile app, or
public repository.
Secret keys carry least-privilege scopes. A request is accepted only when the key has the scope required by that operation.
| Scope | Operations |
|---|---|
classes:read |
GET /v1/classes |
classes:write |
POST /v1/classes PATCH /v1/classes/{classId} DELETE /v1/classes/{classId} |
content:read |
GET /v1/content |
content:write |
PATCH /v1/content/{contentId} DELETE /v1/content/{contentId} |
coupons:read |
GET /v1/coupons |
coupons:write |
POST /v1/coupons DELETE /v1/coupons/{couponId} |
instructors:read |
GET /v1/instructors |
instructors:write |
POST /v1/instructors PATCH /v1/instructors/{instructorId} |
locations:read |
GET /v1/locations GET /v1/locations/{locationId}/rooms |
locations:write |
POST /v1/locations PATCH /v1/locations/{locationId} DELETE /v1/locations/{locationId} POST /v1/locations/{locationId}/rooms PATCH /v1/locations/{locationId}/rooms/{roomId} DELETE /v1/locations/{locationId}/rooms/{roomId} |
members:read |
GET /v1/members |
members:write |
POST /v1/members/invites PATCH /v1/members/{membershipId} POST /v1/members/{membershipId}/cancel |
plans:read |
GET /v1/plans |
plans:write |
POST /v1/plans PATCH /v1/plans/{planId} DELETE /v1/plans/{planId} |
programs:read |
GET /v1/programs GET /v1/programs/{programId} |
programs:write |
POST /v1/programs PATCH /v1/programs/{programId} |
schedule:read |
GET /v1/schedule |
schedule:write |
PATCH /v1/schedule/{occurrenceId} |
Header format
Authorization: Bearer flow_pk_your_publishable_key
Authorization: Bearer flow_sk_your_secret_key
Use one key per integration or deployment environment. Rotate by creating a new key, deploying it, then revoking the old key after traffic has moved.
Access failures
Missing, malformed, revoked, or wrong-kind keys return 401. A valid secret key
without the operation's required scope returns 403. Both responses use the
standard Problem format described in Errors.