DeckFlow Logo Developers DeckFlow documentation
Get Started
Developer GuideAPI ReferenceMCPCLI

API Key

Generate your DeckFlow API key from Settings. Use it to authenticate API requests, MCP integrations, CLI workflows, and server-side automation.

DeckFlow uses API key authentication for developer access. The key is connected to the account or workspace where it was created, and usage from that key consumes the corresponding quota.

Getting Your API Key

  1. Log in to DeckFlow.
  2. Open Settings.
  3. Go to the API key section.
  4. Generate or copy your API key.

Keep the key private. It can create jobs, access workspace resources, and consume Credit or Spark quota.

Configuring Your API Key

  export DECKFLOW_API_KEY="Bearer "
  export DECKFLOW_API_BASE="https://app.deckflow.com/api"

.env file

If your project uses a .env file, store the key outside your source code:

DECKFLOW_API_KEY="Bearer "
DECKFLOW_API_BASE=https://app.deckflow.com/api

MCP and CLI

For MCP clients, local agents, CI jobs, and CLI automation, set DECKFLOW_API_KEY before starting the workflow.

  export DECKFLOW_API_KEY="Bearer "
  # Start your MCP client, CLI command, or agent process after this.

In CI, store the key in your provider's secret manager. Do not paste API keys into prompts, notebooks, committed config files, or browser-only code.

Using the Key in Requests

All DeckFlow API requests authenticate with the Authorization header.

  curl -X POST "$DECKFLOW_API_BASE/tools/tasks" \
    -H "Authorization: $DECKFLOW_API_KEY"
  const response = await fetch(`${process.env.DECKFLOW_API_BASE}/tools/tasks`, {
    method: "POST",
    headers: { "Authorization": process.env.DECKFLOW_API_KEY },
  });
  import os, requests

  response = requests.post(
      f"{os.environ['DECKFLOW_API_BASE']}/tools/tasks",
      headers={"Authorization": os.environ["DECKFLOW_API_KEY"]},
      timeout=60,
  )

Key Scope and Billing

Requests are billed to the account or workspace associated with the API key. If the key is used by a server, CI job, MCP client, or CLI script, all jobs started by that environment consume the same workspace quota.

For quota details, see Pricing & Billing.

Troubleshooting

StatusMeaningWhat to check
401The key is missing, invalid, expired, or sent in the wrong header.Confirm the Authorization header and copy the key again from Settings.
403The key is valid but cannot access the requested workspace, feature, or resource.Check workspace membership, plan permissions, and feature availability.
429The key is valid but the account is over a rate or quota limit.Reduce concurrency or wait for quota recovery.

Security Best Practices

  • Never commit your API key to version control. Add .env to .gitignore.
  • Never expose the key in client-side or browser code. Call DeckFlow from a backend or trusted automation environment.
  • Rotate keys when access changes. Regenerate the key from Settings when a teammate leaves, a server is replaced, or a secret may have been exposed.
  • Monitor usage in DeckFlow Settings. Review quota consumption for unexpected jobs or unusual traffic.