When you build on TheFluxTrain, you authenticate API requests with an API key. Sign-in on the website is only for managing keys and using the product in the browser.
Use this for REST calls from your backend, scripts, automation tools, and the CLI after tft login.
| Header | Example |
|---|---|
x-api-key | x-api-key: your-secret-key |
Create keys under Account → API keys. If the key is missing, wrong, revoked, or past its expiry, the API responds with 403 Unauthorised.
Example with curl:
curl -X POST "https://api.thefluxtrain.com/api/v1/jobs/check-status/YOUR_JOB_ID" \
-H "x-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json"
The CLI stores an API key locally after you complete device-code sign-in at thefluxtrain.com/cli/authorize. The CLI sends the same x-api-key header on API requests. You do not need to copy the secret into your shell.
| What you are doing | How you authenticate |
|---|---|
| Calling generation, jobs, or other REST endpoints | x-api-key |
Using the CLI (tft login) | API key saved locally by the CLI |
| Creating or revoking API keys on the website | Sign in on thefluxtrain.com (not via API key) |
You cannot use an API key to create or delete other API keys.
Using TheFluxTrain in the browser uses your normal account login. That session is separate from API keys. For anything you build outside the website, use an API key as described above.