Authentication

• API Key Header
• Security Best Practices

API Key Header

All API requests must include a valid API key in the X-API-Key HTTP header:

X-API-Key: YOUR_API_KEY

Example request:

curl -s -H "X-API-Key: YOUR_API_KEY" "https://api.rateflow.com/v1/rates/latest?base=EUR"

If the API key is missing or invalid, the API returns a 401 error:

{
    "type": "https://rateflowapi.com/errors/invalid-api-key",
    "title": "Invalid API Key",
    "status": 401,
    "detail": "The API key provided is missing or invalid."
}

If your account is blocked, the key is deactivated, or your email is not verified, the API returns a 403 error with inactive-account.

Security Best Practices

• Never expose your API key in client-side JavaScript, mobile app source code, or public Git repositories.
• Use environment variables or a secrets manager to store your key.
• Rotate your API key periodically from the API Keys page.
• Use separate keys for development and production.
• Monitor your usage on the Dashboard to detect unauthorized use.