Authentication
Every API request to ParseFlow requires authentication via an API key. This guide covers how to create, use, rotate, and secure your keys.
Getting Your API Key
- 1Sign up or log in at the Dashboard.
- 2Click + New Key and give it a descriptive name (e.g., “Production”, “Staging”).
- 3Copy the key immediately. It is shown only once and cannot be retrieved later.
You can also create API keys programmatically via the POST /api/auth/register endpoint.
Using Your API Key
Include your key in every request using one of these methods:
Method 1: X-API-Key Header (Recommended)
curl -X POST https://parseflow.dev/api/v1/extract \ -H "X-API-Key: dm_live_your_api_key_here" \ -F "file=@invoice.pdf"
Method 2: Authorization Bearer
curl -X POST https://parseflow.dev/api/v1/extract \ -H "Authorization: Bearer dm_live_your_api_key_here" \ -F "file=@invoice.pdf"
Python Example
import requests
response = requests.post(
"https://parseflow.dev/api/v1/extract",
headers={"X-API-Key": "dm_live_your_api_key_here"},
files={"file": open("invoice.pdf", "rb")},
data={"document_type": "invoice"}
)
print(response.json())Node.js Example
const FormData = require('form-data');
const fs = require('fs');
const axios = require('axios');
const form = new FormData();
form.append('file', fs.createReadStream('invoice.pdf'));
form.append('document_type', 'invoice');
const response = await axios.post(
'https://parseflow.dev/api/v1/extract',
form,
{
headers: {
'X-API-Key': 'dm_live_your_api_key_here',
...form.getHeaders()
}
}
);
console.log(response.data);Go Example
req, _ := http.NewRequest("POST",
"https://parseflow.dev/api/v1/extract", body)
req.Header.Set("X-API-Key", "dm_live_your_api_key_here")
req.Header.Set("Content-Type", writer.FormDataContentType())
resp, _ := http.DefaultClient.Do(req)Key Formats
All ParseFlow API keys follow a consistent format:
| Prefix | Environment | Example |
|---|---|---|
| dm_live_ | Production | dm_live_a1b2c3d4e5f6... |
| dm_test_ | Testing (coming soon) | dm_test_a1b2c3d4e5f6... |
Keys are 56 characters long: 8-character prefix + 48 random hex characters.
Security Best Practices
- Never expose keys in client-side code. Always call the API from your backend.
- Use environment variables to store keys. Never commit them to version control.
- Use separate keys for different environments (production, staging, development).
- Revoke compromised keys immediately from the dashboard.
- Rotate keys periodically — we recommend every 90 days.
Key Rotation
To rotate a key without downtime:
- Create a new API key from the dashboard
- Update your application to use the new key
- Deploy the change and verify it works
- Revoke the old key from the dashboard
Both keys will work simultaneously during the transition, so there is no downtime.
Rate Limits by Plan
| Plan | Requests/min | Documents/month | Max File Size |
|---|---|---|---|
| Free | 60 | 100 | 5 MB |
| Starter | 60 | 1,000 | 20 MB |
| Pro | 60 | 10,000 | 50 MB |
| Enterprise | 120 | 100,000 | 100 MB |
Error Responses
Authentication-related errors:
| Status | Code | Description |
|---|---|---|
| 401 | AUTH_MISSING | No API key provided. Include X-API-Key or Authorization header. |
| 401 | AUTH_INVALID | API key is invalid, expired, or has been revoked. |
| 429 | RATE_LIMITED | Too many requests per minute. Check the Retry-After header. |
| 429 | QUOTA_EXCEEDED | Monthly document limit reached. Upgrade your plan. |
Example Error Response
{
"error": "Missing API key. Include X-API-Key header.",
"code": "AUTH_MISSING"
}