Skip to main content
The Flexxible API protects access to its resources through a security model based on authentication and authorization. Authentication identifies the user making the request, while authorization determines which resources and operations they can access based on their permissions.
To learn how to generate an API key, authenticate, and make your first request, see the Getting started guide.

Authentication

The API uses an authentication mechanism based on API keys. Each API key is associated with a Portal user and represents their identity during requests made to the API. There is no need to obtain a prior access token or complete an additional authentication process.

API key

The API key is the only authentication mechanism supported by the platform. Characteristics:
  • Must be included in every request.
  • Identifies the user making the request.
  • Limits access to the organization the user belongs to.

Authorization

Access to API resources is controlled through a role-based authorization system. Authorization is applied at two levels:
  • Endpoint level. Determines which roles can access each endpoint.
  • Action level. Restricts specific operations, such as creating, modifying, or deleting resources, based on the user’s permissions.
Access to resources depends on the user permissions defined in Portal. Not all endpoints are available to every role.

Best practices

To protect integrations that use the API, we recommend:
  • Keeping API keys in a secure location.
  • Not sharing them or including them in public source code.
  • Rotating keys periodically.
  • Immediately revoking any key that may have been compromised.