To obtain an API token, you must first create a merchant account on the Flow Payments platform.
!CAUTION Keep your API tokens secure. Never share them publicly and do not commit them to your source code. If a token is compromised, revoke it immediately and generate a new one.
Include your API token in the Authorization header of each request using the Bearer scheme:
Authorization: Bearer your_api_token_here
curl -X GET https://api.flow-payments.com/api/balances \
-H "Authorization: Bearer sk_live_abc123xyz789..." \
-H "Accept: application/json"
const response = await fetch('https://api.flow-payments.com/api/balances', {
method: 'GET',
headers: {
'Authorization': 'Bearer sk_live_abc123xyz789...',
'Accept': 'application/json',
'Content-Type': 'application/json'
}
});
const data = await response.json();
console.log(data);
<?php
$token = 'sk_live_abc123xyz789...';
$ch = curl_init('https://api.flow-payments.com/api/balances');
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Authorization: Bearer ' . $token,
'Accept: application/json',
'Content-Type: application/json'
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
$data = json_decode($response, true);
curl_close($ch);
If your token is missing, invalid, or expired, you will receive a 401 Unauthorized response:
{
"message": "Unauthenticated."
}
Possible solutions:
Authorization header is presentBearer If you attempt to access a resource that does not belong to you:
{
"message": "This action is unauthorized."
}
!IMPORTANT Follow these recommendations to secure your API tokens:
# .env
FLOW_PAYMENTS_API_TOKEN=sk_live_abc123xyz789...
If you believe a token has been compromised:
The API implements rate limiting at 30 requests per minute per API token to ensure service stability.
If you exceed the rate limit, you will receive an HTTP 429 Too Many Requests response. Please reduce the frequency of your requests.
!TIP If you need a higher rate limit for your use case, please contact our support team to discuss your requirements.