Quotaflow
llms.txtOpenAPIDashboard
Quotaflow API

Authentication

When to use this page

Use this page when wiring Quotaflow into an SDK, server, CI job, or agent runtime.

Bearer token

Quotaflow accepts a qf_... API key as a bearer token. The key authenticates the request. Every active key must be attached to an explicit organization, project, subscription, package, or contract billing profile. Removed balance-backed billing contexts are rejected.

Authorization: Bearer qf_your_key_here

Alternate headers

Some clients cannot set Authorization. Quotaflow also accepts:

x-api-key: qf_your_key_here

or:

x-goog-api-key: qf_your_key_here

AK/SK signed requests

Enterprise keys can also be issued as an Access Key / Secret Key pair. Use this mode when your security policy requires request signing or replay protection. Do not send a bearer API key on the same request.

Send these headers:

X-QF-Access-Key: qfak_your_access_key
X-QF-Timestamp: 1782969000
X-QF-Nonce: unique-nonce-per-request
X-QF-Content-SHA256: lowercase_sha256_hex_of_request_body
X-QF-Signature: lowercase_hmac_sha256_hex

The signature is HMAC-SHA256(secret_key, canonical_request), where canonical_request is:

METHOD
/path
raw_query_string
unix_timestamp_seconds
nonce
sha256_hex_body

Timestamps must be close to server time, and each nonce can only be used once during the replay window. The secret key is shown only when the credential is created; store it in a server-side secret manager.

Security rules

Common authentication errors

{
  "error": "Missing API key",
  "message": "Please provide an API key in the x-api-key, x-goog-api-key, or Authorization header"
}

This means no key reached the API.

{
  "error": {
    "message": "Invalid API key",
    "type": "authentication_error"
  }
}

This means the key is missing, disabled, expired, deleted, or from a different environment.