API Keys

API keys allow server-to-server communication with Cueflow. Use them to manage contacts and track events from your backend.

When to Use API Keys

Use the server-side API when you need to:

Sync contacts from your database
Track events from webhooks
Update contact properties server-side
Integrate with backend processes

For client-side tracking, use the JavaScript SDK instead.

Managing API Keys

Access API Settings

Go to API Keys in the sidebar

Create an API Key

Click Create API Key
Enter a name (e.g., "Production Server", "Webhook Handler")
Click Create
Copy the key immediately - it won't be shown again

API keys are shown only once. Copy and store it securely before closing the dialog.

Key Format

API keys look like:

sk_a1b2c3d4e5f6...

The sk_ prefix indicates a secret key.

View Existing Keys

The API Keys page shows:

Key name
Key prefix (first 12 characters)
Created date
Last used date

Delete a Key

Find the key in the list
Click Delete
Confirm deletion

Deleting a key immediately invalidates it. Any systems using that key will stop working.

Using the API

Authentication

Include your API key in the Authorization header:

curl -X POST https://app.cueflow.so/api/v1/contacts \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ ... }'

API Endpoints

Contacts

Create or update a contact:

POST /api/v1/contacts

{
  "email": "[email protected]",
  "name": "Jane Smith",
  "plan": "pro",
  "customAttributes": {
    "company": "Acme Inc",
    "teamSize": 50
  }
}

Delete a contact:

DELETE /api/v1/contacts/[email protected]

Events

Track an event:

POST /api/v1/events

{
  "email": "[email protected]",
  "event": "subscription_renewed",
  "properties": {
    "plan": "pro",
    "amount": 99
  }
}

Response Format

Successful responses return JSON:

{
  "success": true,
  "contact": {
    "id": "clx...",
    "externalId": "user-123",
    "email": "[email protected]",
    ...
  }
}

Error responses:

{
  "error": "Not found",
  "message": "Contact not found"
}

Rate Limiting

API requests are rate limited:

300 requests per minute per API key
Rate limit headers included in responses:
- X-RateLimit-Limit: Request limit
- X-RateLimit-Remaining: Remaining requests
- X-RateLimit-Reset: Reset timestamp

Use Cases

When a user signs up in your app:

// Your signup handler
async function handleSignup(user) {
  // Create user in your database
  await db.createUser(user);

  // Sync to Cueflow
  await fetch('https://app.cueflow.so/api/v1/contacts', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${process.env.CUEFLOW_API_KEY}`,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      email: user.email,
      name: user.name,
      signedUpAt: new Date().toISOString()
    })
  });
}

Track Webhook Events

When receiving a Stripe webhook:

// Stripe webhook handler
app.post('/webhooks/stripe', async (req, res) => {
  const event = req.body;

  if (event.type === 'checkout.session.completed') {
    const session = event.data.object;

    // Track the event
    await fetch('https://app.cueflow.so/api/v1/events', {
      method: 'POST',
      headers: {
        'Authorization': `Bearer ${process.env.CUEFLOW_API_KEY}`,
        'Content-Type': 'application/json'
      },
      body: JSON.stringify({
        email: session.customer_email,
        event: 'purchase_completed',
        properties: {
          amount: session.amount_total / 100,
          plan: session.metadata.plan
        }
      })
    });
  }

  res.json({ received: true });
});

Batch Updates

Update multiple contacts in a loop:

async function syncAllContacts() {
  const users = await db.getAllUsers();

  for (const user of users) {
    await fetch('https://app.cueflow.so/api/v1/contacts', {
      method: 'POST',
      headers: {
        'Authorization': `Bearer ${process.env.CUEFLOW_API_KEY}`,
        'Content-Type': 'application/json'
      },
      body: JSON.stringify({
        email: user.email,
        name: user.name,
        plan: user.subscription.plan
      })
    });

    // Respect rate limits
    await sleep(100);
  }
}

Security Best Practices

Keep Keys Secret

Never commit keys to version control
Use environment variables
Don't expose in client-side code

Use Separate Keys

Create different keys for different environments
Name them clearly (Production, Staging, Development)
Rotate keys periodically

Monitor Usage

Check "Last Used" dates
Delete unused keys
Watch for unexpected activity

Rotate Keys

Create a new key
Update your systems to use the new key
Delete the old key

PreviousWorkspace Settings NextTeam Management

Last updated 1 month ago

Good afternoon

hashtagWhen to Use API Keys

hashtagManaging API Keys

hashtagAccess API Settings

hashtagCreate an API Key

hashtagKey Format

hashtagView Existing Keys

hashtagDelete a Key

hashtagUsing the API

hashtagAuthentication

hashtagAPI Endpoints

hashtagContacts

hashtagEvents

hashtagResponse Format

hashtagRate Limiting

hashtagUse Cases

hashtagSync Contacts on Signup

hashtagTrack Webhook Events

hashtagBatch Updates

hashtagSecurity Best Practices

hashtagKeep Keys Secret

hashtagUse Separate Keys

hashtagMonitor Usage

hashtagRotate Keys

When to Use API Keys

Managing API Keys

Access API Settings

Create an API Key

Key Format

View Existing Keys

Delete a Key

Using the API

Authentication

API Endpoints

Contacts

Events

Response Format

Rate Limiting

Use Cases

Sync Contacts on Signup

Track Webhook Events

Batch Updates

Security Best Practices

Keep Keys Secret

Use Separate Keys

Monitor Usage

Rotate Keys