FlowBeacon Public API
Server-to-server HTTP/JSON API for submitting automation blueprints to FlowBeacon's governance engine and retrieving violations, remediation guidance, and compliance rollups.
Designed to be embedded in Make.com Custom Apps, internal admin tools, CI/CD pipelines, and observability dashboards.
Auth model: every authenticated request carries a Bearer API key and an
X-FB-Signature HMAC header. See the Authentication tag for full details.
Response envelope: all 2xx responses are wrapped:
{ "ok": true, "data": { /* ... */ }, "meta": { "watermark": "wm_a1b2c3d4" } }
Authentication
- HTTP: Bearer Auth
- API Key: hmacSignature
- API Key: sessionAuth
Authorization: Bearer fb_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Keys are 56 characters total,
SHA-256 hashed at rest, and shown to the operator exactly once on creation.
Security Scheme Type: | http |
|---|---|
HTTP Authorization Scheme: | bearer |
Bearer format: | fb_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (48 hex chars) |
HMAC-SHA-256 signature header in the format:
t=<unix>,v1=<lowercase hex>.
Canonical signing string:
message = "{timestamp}.{HTTP_METHOD}.{request_path}.{raw_request_body}"
Signing key is the raw API key. Tolerance window: 300 seconds.
Missing header → 403 Missing request signature.
Mismatch / stale → 403 Invalid request signature.
Security Scheme Type: | apiKey |
|---|---|
Header parameter name: | X-FB-Signature |
Browser session cookie (NextAuth). Only used by /keys/* admin endpoints,
which live at /api/v1/keys — outside /api/public/v1/*.
Security Scheme Type: | apiKey |
|---|---|
Cookie parameter name: | __Secure-next-auth.session-token |
API Fair Use Policy
By accessing or using our APIs, you agree to this Fair Use Policy. We implement these measures to ensure platform stability, security, and optimal performance for all users.
1. Rate Limits and Quotas
- Throttling: API access is subject to strict volume limits based on your subscription tier. Standard endpoints are limited to [Insert Number, e.g., 60] requests per minute.
- Concurrent Requests: You may not exceed [Insert Number, e.g., 5] simultaneous concurrent connections to our servers.
- Surge Protection: Automated systems will temporarily block or throttle traffic that exhibits sudden, extreme spikes that threaten server stability.
2. Prohibited Behavior
- Circumvention: You must not attempt to bypass rate limits by using multiple API keys, rotating IP addresses, or creating duplicate developer accounts.
- Data Scraping: You may not use the API to systematically download, scrape, or extract our entire database for the purpose of replicating our service or training machine learning models.
- Load Testing: You are strictly prohibited from conducting performance, stress, or load testing against our production API endpoints without prior written consent from our engineering team.
3. Monitoring and Enforcement
- Traffic Audits: We continuously monitor API traffic patterns to detect abuse, security vulnerabilities, or operational inefficiencies.
- Service Suspension: We reserve the right to immediately suspend or permanently revoke your API access, without notice or liability, if we determine you are violating this Fair Use Policy.
- Modifications: We may update these operational limits at any time. Continued use of the API after changes are posted constitutes acceptance of the new terms.