Authentication
When to use this page
Use this page when wiring QuotaFlow into an SDK, server, CI job, or agent runtime.
Bearer token
QuotaFlow accepts an API key as a bearer token.
Authorization: Bearer qf_your_key_hereAlternate headers
Some clients cannot set Authorization. QuotaFlow also accepts:
x-api-key: qf_your_key_hereor:
x-goog-api-key: qf_your_key_hereSecurity rules
- Never commit API keys.
- Never place API keys in frontend JavaScript.
- Use different keys per customer, environment, or agent group.
- Rotate a key immediately if it appears in logs, screenshots, crash reports, or support tickets.
Common authentication errors
{
"error": "Missing API key",
"message": "Please provide an API key in the x-api-key, x-goog-api-key, or Authorization header"
}This means no key reached the API.
{
"error": {
"message": "Invalid API key",
"type": "authentication_error"
}
}This means the key is missing, disabled, expired, deleted, or from a different environment.
AI agents: start at
/llms.txt, fetch /llms-full.txt for full context, and parse /openapi.yaml for endpoint schemas.