API Keys
Flinku projects have two API key types. Both are sent the same way:
Authorization: Bearer <key>Find both keys in the dashboard: Project → Settings → API Keys. Configure Allowed Domains in the same section when using a publishable key for link creation.
Publishable key (flk_pk_...)
Safe to embed in mobile apps, websites, and client-side code.
Can do:
- Resolve links —
GET /api/links/resolve/:slug - Create links —
POST /api/links(and SDKcreateLink/createLinkInstant)
Requires Allowed Domains for link creation. Every destination URL hostname on the link must match a domain in your project's Allowed Domains list (subdomains are included). Without Allowed Domains configured, link creation returns 403.
SDK support: Flutter 0.3.5+, iOS 0.3.3+, Android 0.3.2+, React Native 0.2.2+, Capacitor 0.2.2+, Unity 0.1.2+. SDKs emit a one-time debug warning if a secret key is embedded instead.
Flinku.configure(
baseUrl: 'https://yourapp.flku.dev',
apiKey: 'flk_pk_...', // publishable — safe in apps
);Use your publishable key (flk_pk_) in apps. Never embed your secret key (flk_live_).
Secret key (flk_live_...)
Full access to all link endpoints: list, update, delete, bulk, history, QR, trash, restore, clone, and more.
Server-side only. Never ship a secret key in a mobile app, website, or any client that users can inspect. Existing secret keys keep working unchanged.
# Server-side REST example (secret key)
curl -X POST https://flku.dev/api/links/bulk \
-H "Authorization: Bearer flk_live_..." \
-H "Content-Type: application/json" \
-d '{ "projectId": "YOUR_PROJECT_ID", "links": [...] }'Allowed Domains (publishable keys)
When creating links with a publishable key, Flinku checks that every destination URL hostname is allowed.
- Open Project → Settings → API Keys.
- Under Allowed Domains, add your app's domain(s), e.g.
yourapp.com. - Save.
Worked example
| Allowed Domains | Link destination | Result |
|---|---|---|
yourapp.com | https://links.yourapp.com/promo | ✅ 201 — links.yourapp.com is a subdomain of yourapp.com |
yourapp.com | https://evil.com/phish | ❌ 403 — hostname not in allowlist |
Subdomains count: if yourapp.com is allowed, links.yourapp.com, app.yourapp.com, and www.yourapp.com all pass.
Common 403 responses (verbatim)
Publishable key link creation requires Allowed Domains to be configured in project settings.Destination URL hostname evil.com is not in your project's Allowed Domains list.Endpoints that require a secret key return:
This endpoint requires a secret key. Use your secret key (flk_live_) for this operation.SDKs surface these messages in thrown errors (or debug logs for createLinkInstant background POSTs) so you can fix allowlist configuration without guessing.
When to use which key
| Context | Key to use |
|---|---|
| Flutter / iOS / Android / RN / Capacitor / Unity app | flk_pk_... |
| Website or hybrid app (client-side) | flk_pk_... |
| Backend server, Cloud Function, CI/CD | flk_live_... |
| Bulk import, delete, admin scripts | flk_live_... |
| Dashboard (logged-in user) | Firebase ID token (not an API key) |
Prefer routing app link creation through your backend with a secret key when you cannot configure Allowed Domains or need endpoints publishable keys cannot access.
Regeneration
Secret key: Project → Settings → API Keys → Regenerate secret key. The previous key stops working immediately. Update every server, CI secret, and env var in the same change window.
Publishable key: Regenerate from the same screen if you suspect exposure. Update embedded keys in all app builds and redeploy.
Security best practices
- Never embed
flk_live_in apps — anyone can extract it and gain full access to your links. - Use
flk_pk_in client code and configure Allowed Domains before callingcreateLink. - Store secret keys in env vars or a secret manager — never commit them to git.
- Rotate immediately if a secret key is leaked; revoke the old key in the dashboard.
- Scope publishable keys with Allowed Domains — only list domains your app legitimately redirects to.
See also: API Reference · Integration Guide