API Access for Custom Applications

Custom applications interact with Flowlu exclusively through the public API. All data access and actions must be performed using authenticated API requests and are limited by the permissions declared in the application manifest.

Applications do not have direct access to Flowlu’s internal services, databases, or core logic. Any interaction with the platform outside of the documented API is not supported.

Authentication

Flowlu supports API access using API keys and OAuth 2.0.

User identity is determined only by an OAuth 2.0 access token.
When an API request includes an OAuth access token, the request is executed on behalf of the user to whom that token belongs.

API keys do not represent a specific user. They are intended for system-level or service-to-service access where user identity is not required.

Some API operations require elevated access, such as:

• a portal administrator account, or

• an API key with access to system-level methods.

The authentication method, token handling, and permission requirements depend on the specific API endpoints being used.

For a detailed explanation of authentication flows and when to use each method, see Authentication and Authorization.

Permissions and access control

API access is permission-based. Permissions requested by an application are defined in its manifest and must be approved by a portal administrator during installation.

All API requests are validated against:

• the permissions granted to the application, and

• the access rights of the user whose access token is used.

Only API operations covered by the approved permissions can be executed. Requests outside the granted scope are rejected automatically. This applies equally to both frontend and backend API calls.

Permission scopes are tied to API modules and models. For the full list of available scopes and corresponding endpoints, refer to the Flowlu API documentation.

Using the API in applications

Custom applications may use the API from:

• frontend code running in the browser, typically via the Flowlu JS SDK, or

• backend services hosted by the application developer.

When using the Flowlu JS SDK, frontend API requests are always executed using the access token of the currently authenticated user. This is the recommended and safest approach for frontend API access.

Backend services may perform API requests using access tokens of different users if required by the application’s business logic. In this case, developers are responsible for securely storing, rotating, and protecting tokens.

API keys and access tokens must never be exposed publicly.

Webhooks and event-driven workflows

In addition to direct API requests, Flowlu supports outgoing webhooks. Webhooks allow applications to receive real-time notifications about events such as entity creation, updates, or deletion.

Webhooks are configured in the portal settings and deliver event data via HTTP POST requests in JSON format.

See Webhooks for Custom Applications for details on webhook behavior, scope checks, and payload structure.

Rate limits and usage constraints

API usage is subject to platform limits to ensure stability and fair usage. Applications that exceed allowed limits may experience request throttling or temporary blocking.

Developers should design applications efficiently, avoid unnecessary requests, and handle API errors gracefully. Current rate limits and usage rules are documented in the Flowlu API reference.