API Reference
Authentication
How to create and use API keys to authenticate with the FloopFloop API.
Last updated:
API Key Authentication
All API requests must include your API key in the Authorization header using the Bearer token scheme:
Authorization: Bearer flp_your_api_key_hereCreating API Keys
Navigate to Account → API Keys in your FloopFloop dashboard to create and manage API keys.
- Each account can have up to 5 active API keys
- Keys are shown only once at creation — store them securely
- Keys can be revoked at any time from the dashboard
- All keys start with the prefix
flp_
Key Security
- Never share your API keys or commit them to version control
- Use environment variables to store keys in your applications
- Rotate keys regularly and revoke unused keys
- Each key has its own rate limit bucket
Rate Limits
API endpoints have the following rate limits per API key:
| Operation | Limit | Window |
|---|---|---|
| Read operations (GET) | 120 requests | 1 minute |
| Write operations (POST/PATCH/DELETE) | 30 requests | 1 minute |
| Deploy/Rollback | 5 requests | 1 hour |
| Project creation/Clone | 10 requests | 1 hour |
Rate limit information is included in response headers:X-RateLimit-Remaining and X-RateLimit-Reset.
Verify Authentication
GET /api/v1/user/meUse this endpoint to confirm your API key is valid. It returns the authenticated user's profile and is the standard “test your auth” call used by every official SDK and by floop whoami in the CLI.
curl https://floopfloop.com/api/v1/user/me \
-H "Authorization: Bearer flp_your_api_key_here"Response (200):
{
"data": {
"id": "user_abc123",
"email": "you@example.com",
"name": "Your Name",
"role": "user",
"source": "api_key"
}
}role—"user"for normal accounts,"admin"for platform staff.source— how the request was authenticated."api_key"for programmatic credentials,"cli_token"for the device-authorised CLI flow.
A 401 UNAUTHORIZED here means the key is missing, revoked, or malformed. A 403 FORBIDDEN means the account exists but lacks the Business plan that gates API access (see Requirements in the API Overview).
Programmatic API Key Management
Most users create keys from the dashboard, but the same surface is available over the API for orchestration scenarios — rotating a key from a CI job, listing keys to audit usage, or revoking a leaked key without a UI round-trip. This mirrors what floop keys list/create/remove does in the CLI.
List API Keys
GET /api/v1/api-keysReturns metadata for every active (non-revoked) key on the account. Plaintext key material is never returned — only the keyPrefix (the first 8 hex chars of the key, prefixed with flp_).
{
"data": {
"keys": [
{
"id": "key_abc",
"name": "ci-deploy",
"keyPrefix": "flp_a1b2c3d4",
"scopes": null,
"lastUsedAt": "2026-04-24T18:30:00Z",
"createdAt": "2026-04-01T12:00:00Z"
}
]
}
}Create API Key
POST /api/v1/api-keys{
"name": "ci-deploy" // required, 1-100 chars
}Response (201):
{
"data": {
"id": "key_xyz",
"rawKey": "flp_a1b2c3d4…full-40-hex…",
"keyPrefix": "flp_a1b2c3d4"
}
}The rawKey is shown only once— subsequent reads return only the keyPrefix. Store it immediately. Each account is capped at 5 active keys; if you hit the cap the request returns409 LIMIT_EXCEEDED— revoke an unused key first.
Creating a key requires the Business plan. A request from a non-Business account returns 403 FORBIDDEN with message “Creating API keys requires the Business plan”. Platform admins bypass this gate.
Revoke API Key
DELETE /api/v1/api-keys/{keyId}Pass the key's id (e.g.key_xyz) as the path parameter. The key is invalidated immediately — in-flight requests already on a worker may complete, but no new requests will authenticate.
Response (200):
{ "data": { "success": true } }- Self-revocation is blocked. Calling DELETE with the same key making the request returns
400 VALIDATION_ERROR— this stops the CLI from cutting itself off mid-call. Use a different key, or revoke from the dashboard. - Unknown or already-revoked keys return
404 NOT_FOUND.
The official SDKs accept either an id or a key name in theirapiKeys.remove()helpers, resolving name → id client-side via a list call. The API itself accepts only the id.
A revoked key cannot be restored; create a new one to replace it. Revocation is recorded in the audit log shown on Account → API Keys.