search
Ctrlk
FloeLabs.xyz

keyAPI Keys

Floe uses API keys to authenticate requests to the developer platform. There are two key types, each scoped to a different set of endpoints.

hashtag
Key Types

Prefix
Name
Scope
Created Via
Used For

floe_live_*

Developer key

Whole developer account

Dashboard API Keys page or POST /v1/developer/keys

Credit API developer endpoints, agent management, webhook management

floe_*

Agent key

One specific agent

Agent setup wizard, POST /v1/developer/agents/:id/keys, or floe-agent register --name <name>

x402 proxy, agent balance, agent-awareness endpoints, MCP server

Developer keys are for your backend services — monitoring loan health, managing webhooks, registering new agents, and calling developer-scoped endpoints on the Credit API. One key per environment is typical.

Agent keys identify one specific agent. Every agent registered under a developer gets its own floe_* key with a one-active-key cap (rotate to issue a new one). Agent keys are required for the agent-awareness endpoints (credit-remaining, loan-state, spend-limit, etc.) and for MCP server sessions scoped to a single agent.

hashtag
Agent Keys

One developer can own multiple agents (up to 5 per account today). Each agent has its own scoped key. There are four ways to mint one:

  1. Dashboard wizard — visit dev-dashboard.floelabs.xyzarrow-up-right, create an agent, copy the floe_* key shown on the final step. It is revealed once.

  2. TypeScript CLInpx floe-agent register --name my-agent --borrow-limit 10000. The key is stored in your OS keychain and surfaced once in stdout.

  3. Python CLIfloe-agent register --name my-agent --borrow-limit 10000. Same behavior as the TypeScript CLI.

  4. REST APIPOST /v1/developer/agents to create, then POST /v1/developer/agents/:id/keys to mint. See Credit API → Developer Agents.

The CLI's --borrow-limit flag is in USDC (10000 = $10K). The REST API's borrowLimitRaw field is in raw 6-decimal units (10000 = $0.01, 10000000000 = $10K).

Each agent has a one active key cap. Mint a second key with POST /v1/developer/agents/:id/keys/:keyId/rotate — the old key is revoked atomically in the same transaction.

hashtag
Authentication

Include your key in the Authorization header as a Bearer token:

hashtag
Creating Keys

hashtag
Via the Dashboard

  1. Go to dev-dashboard.floelabs.xyz/keysarrow-up-right

  2. Click Create Key

  3. Enter a label (e.g., "production-backend" or "staging-monitor")

  4. Select permissions: Read or Read/Write

  5. Optionally set an expiry date

  6. Click Create — your full key is displayed once

Copy the key immediately. It is shown only at creation and cannot be retrieved later.

hashtag
Via the API

Request body:

Field
Type
Required
Description

label

string

No

Human-readable name for this key

permissions

string

No

read (default) or read_write

expiresAt

string

No

ISO 8601 expiry date. Omit for no expiry.

Response:

The key field contains the full key. This is the only time you see it.

hashtag
API Endpoints

All endpoints require an existing developer key in the Authorization header.

hashtag
POST /v1/developer/keys

Create a new developer key.

Returns the full key in the response. Store it securely.

hashtag
GET /v1/developer/keys

List all keys for your account. Returns prefixes only — full keys are never returned after creation.

Response:

hashtag
DELETE /v1/developer/keys/:keyId

Revoke a key immediately. Any requests using this key will fail with 401 after revocation.

Response:

hashtag
Security

  • Keys are hashed with HMAC-SHA256 before storage. The full key is never stored on Floe's servers.

  • The full key is displayed exactly once — at creation. If you lose it, revoke and create a new one.

  • All key operations are scoped to the authenticated wallet. You cannot access another wallet's keys.

hashtag
Rate Limits

Key Type
Limit

Developer key (floe_live_*)

100 requests/minute

Agent key (floe_*)

30 requests/minute (x402 proxy)

Rate limit headers are included in every response:

Header
Description

X-RateLimit-Limit

Max requests per window

X-RateLimit-Remaining

Requests remaining in current window

X-RateLimit-Reset

Unix timestamp when the window resets

If you exceed the limit, you receive a 429 Too Many Requests response. Wait until X-RateLimit-Reset before retrying.

hashtag
Best Practices

  • Label keys by environment. Use names like production, staging, local-dev so you can identify and rotate them easily.

  • Never commit keys to git. Use environment variables or a secrets manager. Add .env to your .gitignore.

  • Use read-only keys when possible. If a service only needs to read loan status or list webhooks, give it a read key.

  • Rotate immediately if compromised. Revoke the old key via DELETE /v1/developer/keys/:keyId and create a new one. There is no downtime — the new key works instantly.

  • Set expiry for temporary access. If you're granting a key to a contractor or CI pipeline, use expiresAt so it auto-expires.

hashtag
Next Steps

PreviousDeveloper DashboardNextAgent Runtime Contract

Last updated