API Keys

API keys authenticate your requests to Flint Pay. Each key has scoped permissions controlling which APIs it can access. Keys use the key_ ID prefix.

If you do not have your first API key yet, start with the Developer Setup surface or the API & Agent Onboarding guide.

If you need isolated test environments, use Sandboxes to create or reset sandboxes and issue sandbox-bound test keys.

If you are sizing workers or retry loops, see Rate Limits for the current default limits and 429 handling guidance.

Methods#

Manage keys over the API with the /v1/api-keys endpoints: list (GET /v1/api-keys), create (POST /v1/api-keys), retrieve (GET /v1/api-keys/{api_key_id}), update (PATCH /v1/api-keys/{api_key_id}), and revoke (POST /v1/api-keys/{api_key_id}/revoke). Creating a key returns its secret_key once. See the Authentication guide for request rules and examples.

To create your very first key, before you have one to authenticate with, use one of these flows instead:

  • Create your first key during Developer Setup.
  • Issue sandbox-bound test keys from Sandboxes after setup.
  • Create and manage keys in the Flint dashboard.

secret_key values are only shown once at creation time. Store them securely. Flint cannot return the same secret again later.

Key Format#

Test keys start with flint_test_, live keys with flint_live_. Use test keys for sandbox and other test-mode environments. Live keys should only be used for production traffic.

When you create a key with sandbox_id, Flint binds that test key to a specific sandbox. Requests made with that key execute inside that sandbox automatically; you do not send a separate sandbox selector on each request.

Sandbox-bound keys are only valid for active test sandboxes owned by the authenticated merchant.

Key Statuses#

StatusDescription
activeKey is valid and can authenticate requests
revokedKey has been permanently revoked and cannot be used

Available Scopes#

Each scope grants access to specific API operations. Use the narrowest set of scopes your integration requires.

Accounts#

ScopeDescription
accounts.api_keys.readRead API key metadata where supported
accounts.api_keys.writeCreate, update, and revoke API keys, including sandbox-bound test keys
accounts.devices.readRead devices
accounts.devices.writeCreate, update, delete devices
accounts.merchants.readRead merchant details
accounts.merchants.writeUpdate merchant profile

Customers#

ScopeDescription
customers.customers.readRead customers
customers.customers.writeCreate, update customers

Commerce#

ScopeDescription
commerce.orders.readRead orders
commerce.orders.writeCreate, update, close, and pay orders; mutate line items, discounts, requested tip, and tax
commerce.products.readRead products
commerce.products.writeCreate, update, delete products, variants, and bundles; replace categories; adjust variant inventory
commerce.coupons.readRead coupons
commerce.coupons.writeCreate, update, delete coupons; replace product restrictions
commerce.refunds.readRead refunds
commerce.refunds.writeCreate refunds
commerce.invoices.readRead invoices, invoice events, invoice delivery attempts, and invoice PDFs
commerce.invoices.writeCreate, update, send, void, remind, and collect invoices
commerce.subscriptions.readRead subscriptions
commerce.subscriptions.writeCreate, update, cancel, pause, resume subscriptions
commerce.subscription_plans.readRead subscription plans
commerce.subscription_plans.writeCreate, update, archive plans

Payments#

ScopeDescription
payments.payment_intents.readRead payment intents
payments.payment_intents.writeCreate, update, confirm, capture, and cancel payment intents
payments.payment_methods.readRead payment methods
payments.payment_methods.writeSave, remove, and set default payment methods

Checkouts#

ScopeDescription
checkouts.checkout_sessions.readRead checkout sessions
checkouts.checkout_sessions.writeCreate, update, and close checkout sessions
checkouts.payment_links.readRead payment links
checkouts.payment_links.writeCreate, update, replace content, activate, and deactivate payment links

Settings & Analytics#

ScopeDescription
settings.settings.readRead settings
settings.settings.writeUpdate settings
analytics.readRead analytics data
developer.logs.self.readRead API request logs for the current API key only

Webhooks#

ScopeDescription
webhooks.webhooks.readRead webhook endpoints and webhook delivery events
webhooks.webhooks.writeCreate, update, delete, and rotate webhook endpoints

Defined But Not Currently Used By Public /v1 Routes#

These scopes exist in the shared scope enum and may appear in internal or future surfaces, but this public API does not currently expose /v1 routes that require them:

Scope
accounts.locations.read
accounts.locations.write
accounts.organizations.read
accounts.organizations.write
analytics.write

Special Case#

all exists in the shared scope model, but external API keys cannot grant it.

Rate this doc