API keys
Create, scope, and revoke API keys from the dashboard.
API keys are long-lived bearer tokens used to call the SaaSFlow API from servers, scripts, and CI. They're scoped to a single company and carry a custom set of permissions.
Format
sf_<36-char-id><36-char-secret>The id half identifies the key in our records. The secret half is hashed (PBKDF2-
SHA-512) before storage — we can't recover a lost key, only revoke and reissue.
Create a key
Open API keys
In the app, go to Settings → Company settings. Scroll to API keys.
Pick a name and permissions
Give the key a name (e.g. "CI pipeline", "production sync"). Use the permission picker to grant only what's needed:
- Default: viewer-equivalent (all
:readpermissions). - Common: scoped read for analytics ingestion (
subscriptions:read,customers:read,financials:read). - Rarely needed: writes — only check
:writeboxes for systems that actually mutate data.
*:manage permissions are not available on API keys. Use a user account for admin
operations.
Copy the key
After creating, the key is shown once. Copy it now. Once you dismiss the message, SaaSFlow shows only the first few characters.
sf_abc123…def456Store it as a secret in your secret manager / CI / .env.local.
Use a key
Send as a bearer token:
curl https://api.saasflow.com/companies \
-H "Authorization: Bearer sf_..."In the CLI:
saasflow login --api-key sf_...
# or read from stdin
echo "sf_..." | saasflow login --api-key -In the MCP server:
SAASFLOW_API_KEY=sf_...Revoke a key
Settings → Company settings → API keys. Open the key's menu (⋯) and choose
Delete. Revocation is immediate — the next request with that key fails with 401.
Last-used tracking
Each key shows its Last used timestamp on the API keys page. Useful for rotating — if a key hasn't been used in months, it's probably safe to delete.