> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flexxible.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication and authorization

The Flexxible API protects access to its resources through a security model based on authentication and authorization.

Authentication identifies the user making the request, while authorization determines which resources and operations they can access based on their permissions.

<Tip>
  To learn how to generate an API key, authenticate, and make your first request, see the Getting started guide.
</Tip>

## Authentication

The API uses an authentication mechanism based on API keys.

Each API key is associated with a Portal user and represents their identity during requests made to the API. There is no need to obtain a prior access token or complete an additional authentication process.

### API key

The API key is the only authentication mechanism supported by the platform.

Characteristics:

* Must be included in every request.
* Identifies the user making the request.
* Limits access to the organization the user belongs to.

## Authorization

Access to API resources is controlled through a role-based authorization system.

Authorization is applied at two levels:

* **Endpoint level.** Determines which roles can access each endpoint.
* **Action level.** Restricts specific operations, such as creating, modifying, or deleting resources, based on the user's permissions.

<Note>
  Access to resources depends on the user permissions defined in Portal. Not all endpoints are available to every role.
</Note>

## Best practices

To protect integrations that use the API, we recommend:

* Keeping API keys in a secure location.
* Not sharing them or including them in public source code.
* Rotating keys periodically.
* Immediately revoking any key that may have been compromised.
