All deployed flow APIs require authentication using your Evaligo API key. This ensures only authorized requests can execute your workflows.
Authentication Methods
Bearer Token (Recommended)
Pass your API key in the Authorization header:
curl -X POST https://api.evaligo.com/flows/your-flow-id/execute \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"input": "value"}'API Key Header
Alternatively, use the X-API-Key header:
curl -X POST https://api.evaligo.com/flows/your-flow-id/execute \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"input": "value"}'Getting Your API Key
To obtain your API key:
- Navigate to Settings → API Keys in your Evaligo workspace
- Click "Generate New API Key"
- Copy the key immediately (it won't be shown again)
- Store it securely in your application's environment variables
API Key Management
Multiple Keys
Create separate API keys for different environments or applications:
- Development: For testing and development
- Staging: For pre-production testing
- Production: For live applications
- Per-Service: Separate keys for different microservices
Key Rotation
Rotate your API keys regularly for security:
- Generate a new API key
- Update your application to use the new key
- Test that everything works with the new key
- Revoke the old key
Revoking Keys
If a key is compromised:
- Immediately revoke it in Settings → API Keys
- Generate a replacement key
- Update all services using the compromised key
- Monitor your usage logs for suspicious activity
Best Practices
Secure Storage
# ✅ Good: Environment variables
export EVALIGO_API_KEY=your_api_key_here
# ❌ Bad: Hardcoded in source
const apiKey = "pk_live_12345..." // Never do this!Error Handling
Handle authentication errors gracefully:
import requests
response = requests.post(
"https://api.evaligo.com/flows/flow-id/execute",
headers={"Authorization": f"Bearer {api_key}"},
json={"input": "value"}
)
if response.status_code == 401:
print("Authentication failed. Check your API key.")
elif response.status_code == 403:
print("Forbidden. You don't have access to this resource.")
else:
result = response.json()Rate Limiting
API keys are subject to rate limits based on your plan:
- Free tier: 100 requests per minute
- Pro tier: 1,000 requests per minute
- Enterprise: Custom limits
Implement exponential backoff for rate limit errors (429):
async function callFlowWithRetry(data, maxRetries = 3) {
for (let i = 0; i < maxRetries; i++) {
const response = await fetch(url, {
method: 'POST',
headers: {
'Authorization': `Bearer ${apiKey}`,
'Content-Type': 'application/json'
},
body: JSON.stringify(data)
});
if (response.status === 429) {
// Rate limited - wait and retry
const retryAfter = response.headers.get('Retry-After') || Math.pow(2, i);
await new Promise(resolve => setTimeout(resolve, retryAfter * 1000));
continue;
}
return response.json();
}
throw new Error('Max retries exceeded');
}Security Recommendations
Use HTTPS Only
Always use HTTPS endpoints to encrypt API keys in transit.
Least Privilege
Use workspace-level permissions to limit what each API key can access.
Monitoring
Monitor API key usage in your Evaligo dashboard:
- Track requests per key
- Identify unusual usage patterns
- Set up alerts for suspicious activity
- Review access logs regularly
IP Whitelisting (Enterprise)
Enterprise plans can restrict API key usage to specific IP addresses for additional security.