Skip to content

Closed Alpha

FluxPlay is currently in Closed Alpha. This documentation is a work in progress and may be incomplete or out of date. Features, UI, and APIs are subject to change without notice. For access inquiries, please contact [email protected].

API KEYS

Programmatic access to FluxPlay via server and user API keys with fine-grained IP restrictions and scope controls. Secure by default — plaintext keys are never stored.

Two Key Types for Two Use Cases

Server keys are for server-side integrations where the key is stored securely in a secrets manager or environment variable. User keys are for personal scripts and third-party apps that act on behalf of a specific user.

Capabilities

Server Keys (fp_server_)

Created by admins for automation scripts, integrations, and backend-to-backend communication. Full API scope available.

User Keys (fp_user_)

Created by users for personal integrations. Scoped to the creating user's permissions — cannot exceed account privileges.

IP/CIDR Restrictions

Restrict each key to a set of IP addresses or CIDR ranges. Requests from other IPs are rejected with 403 Forbidden.

SHA-256 Storage

Only the SHA-256 hash of the key is stored. The plaintext key is shown once at creation and cannot be recovered.

Key Rotation

Rotate any key to generate a new value while preserving all settings. The old key is invalidated immediately.

Permissions

Assign a named permission scope to each key. Server keys can be restricted to specific operations (read-only, write, admin).

Key Prefixes

All FluxPlay API keys are prefixed to make them identifiable and scannable by secret detection tools. If a key is accidentally committed to a repository, it can be identified immediately and revoked.

Server Key

fp_server_<64 hex chars>

Created by admins. Usable from any server-side context. Can be scoped to specific API endpoints.

User Key

fp_user_<64 hex chars>

Created by users. Inherits the user's permission set. Cannot be used for admin operations unless the user is an admin.

IP Restrictions

IP restrictions are specified as a comma-separated list of IPv4 addresses, IPv6 addresses, or CIDR ranges. A key with no IP restrictions is usable from any IP. Restrictions are evaluated before any other authorization check.

Example restrictions

  • 192.168.1.100
  • 10.0.0.0/8
  • 2001:db8::/32
  • 203.0.113.0/24, 198.51.100.42

Secure Storage

The plaintext API key is generated once and displayed to the user immediately after creation. After the user closes the dialog, the plaintext value is discarded. FluxPlay stores only the SHA-256 hash of the key. If a key is lost, it must be rotated — recovery is not possible.

Key Rotation Workflow

1

Initiate

Click Rotate on any existing key. A new plaintext value is generated.

2

Copy

Copy the new key immediately — this is the only time it is displayed.

3

Update integrations

Replace the old key value in every place it is used.

4

Confirm

Click Confirm Rotation. The old key is invalidated. The new hash is stored.

Next Steps

External Actions

Use API keys with custom action integrations

Audit Logs

Track all API key usage in the audit trail