Skip to main content

API Keys

API keys are used to authenticate your requests to the Fileloom API. Each key is tied to a workspace and has specific permissions.

Creating an API Key

1

Go to Settings

Navigate to SettingsAPI Keys in your dashboard.
2

Click Create

Click the Create API Key button.
3

Configure the Key

  • Name - Give it a descriptive name (e.g., “Production Server”, “Staging”)
  • Permissions - Select what the key can do
  • Expiration - Optional expiration date
4

Copy and Store

Copy your API key immediately. It will only be shown once.
Store your API key securely. Never commit it to version control or expose it in client-side code.

Using Your API Key

Include your API key in the X-API-Key header with every request: 
curl -X POST https://api.fileloom.io/v1/pdf \
  -H "X-API-Key: fl_live_abc123..." \
  -H "Content-Type: application/json" \
  -d '{"htmlContent": "<h1>Hello</h1>"}'

API Key Format

Fileloom API keys follow this format: 
fl_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
PartDescription
flFileloom prefix
liveEnvironment (live or test)
xxx...32-character random string
The first 8 characters (prefix) are displayed in your dashboard for identification: 
fl_live_a1b2c3d4...

Permissions

Each API key can have one or more permissions:
PermissionDescription
pdf.generateGenerate PDFs from HTML or templates
pdf.readView and download generated files
pdf.deleteDelete generated files
template.readView templates
template.writeCreate, update, and delete templates
For most use cases, pdf.generate and pdf.read are sufficient.

Permission Examples

Backend Server (Full Access) 
pdf.generate, pdf.read, pdf.delete, template.read, template.write
PDF Generation Only 
pdf.generate, pdf.read
Read-Only Dashboard 
pdf.read, template.read

Security Best Practices

Never hardcode API keys in your source code:
    // ❌ Bad
    const apiKey = 'fl_live_abc123...';
    
    // ✅ Good
    const apiKey = process.env.FILELOOM_API_KEY;
Create separate keys for development, staging, and production:
  • Development API Key - For local development
  • Staging API Key - For staging/test environments
  • Production API Key - For production only
Only grant the permissions each key actually needs. A key that only generates PDFs doesn’t need template.write.
For temporary integrations or contractors, set an expiration date on the key.
API keys should only be used server-side. Never include them in:
  • Browser JavaScript
  • Mobile app code
  • Public repositories

Rate Limits

API keys are subject to rate limits based on your plan:
PlanRequests/Minute
Free10
Starter120
Growth200
Scale400
Scale Business1,000
Scale EnterpriseUnlimited
When you exceed the rate limit, you’ll receive a 429 Too Many Requests response.

API Key Errors

Error CodeDescriptionSolution
INVALID_API_KEYKey doesn’t exist or is incorrectCheck your key is correct
API_KEY_EXPIREDKey has passed its expiration dateCreate a new key
API_KEY_REVOKEDKey was manually revokedCreate a new key
INSUFFICIENT_PERMISSIONSKey lacks required permissionUpdate key permissions

Next Steps

Key Management

Learn how to rotate, revoke, and manage keys

API Reference

Start making API requests