Authentication
The Fluxpool API uses API keys for authentication. All requests require a valid key sent as a Bearer token — the same format used by the OpenAI API.
API Keys
Your API key is generated in the Fluxpool Dashboard. Keys are prefixed with fp_ and look like this:
fp_sk_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Keep your API key secret. Do not expose it in client-side code, public repositories, or frontend applications. Use environment variables or a secrets manager.
Making Requests
Include your API key in the Authorization header of every request.
Header Format
Authorization: Bearer fp_your_api_key
cURL Example
curl https://api.fluxpool.ai/v1/images/generations \
-H "Authorization: Bearer fp_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"model": "flux-1.1-pro",
"prompt": "A dragon on a neon-lit Tokyo rooftop, 8K",
"size": "1024x1024"
}'
Python Example
import os
from openai import OpenAI
client = OpenAI(
base_url="https://api.fluxpool.ai/v1",
api_key=os.environ["FLUXPOOL_API_KEY"]
)
response = client.images.generate(
model="flux-1.1-pro",
prompt="A dragon on a neon-lit Tokyo rooftop, 8K",
size="1024x1024"
)
print(response.data[0].url)
JavaScript / Node.js Example
import OpenAI from "openai";
const client = new OpenAI({
baseURL: "https://api.fluxpool.ai/v1",
apiKey: process.env.FLUXPOOL_API_KEY,
});
const response = await client.images.generate({
model: "flux-1.1-pro",
prompt: "A dragon on a neon-lit Tokyo rooftop, 8K",
size: "1024x1024",
});
console.log(response.data[0].url);
OpenAI SDK Compatibility
The Fluxpool API is OpenAI-compatible. If you already use the OpenAI Python or Node.js SDK, change two values: base_url and api_key. Everything else works as-is.
| Parameter | OpenAI Default | Fluxpool |
|---|---|---|
base_url / baseURL |
https://api.openai.com/v1 |
https://api.fluxpool.ai/v1 |
api_key / apiKey |
sk_... |
fp_... |
Tip: You don't need a Fluxpool-specific SDK. The official openai Python and Node.js packages work directly. Just change the base URL and API key.
API Key Management
Manage your keys in the Dashboard → API Keys section.
Creating a Key
- Go to Dashboard → API Keys.
- Click "Create new key."
- Give it a name (e.g.,
production,staging,my-app). - Copy the key immediately — it is shown only once.
Copy your key on creation. For security, the full key is displayed only once. If you lose it, revoke it and create a new one.
Rotating Keys
To rotate a key without downtime:
- Create a new key.
- Update your application to use the new key.
- Verify requests succeed with the new key.
- Revoke the old key.
Revoking Keys
Revoke any key instantly from the dashboard. Revoked keys stop working immediately — all in-flight requests using that key will fail.
Multiple Keys
You can create multiple API keys per account. Use separate keys for different environments (development, staging, production) or applications to isolate usage tracking and simplify rotation.
Rate Limits
Rate limits depend on your account tier and protect the platform from abuse.
| Tier | Requests / Min | Concurrent | Burst |
|---|---|---|---|
| Free | 10 | 2 | 15 |
| Pay As You Go | 60 | 10 | 100 |
| Enterprise | Custom | Custom | Custom |
Rate Limit Headers
Every API response includes rate limit headers:
x-ratelimit-limit: 60
x-ratelimit-remaining: 54
x-ratelimit-reset: 1720000000
| Header | Description |
|---|---|
x-ratelimit-limit |
Max requests per minute for your tier |
x-ratelimit-remaining |
Requests remaining in current window |
x-ratelimit-reset |
Unix timestamp when the window resets |
Handling Rate Limits
If you exceed the limit, the API returns 429 Too Many Requests. Implement exponential backoff or wait until x-ratelimit-reset.
import time
from openai import OpenAI, RateLimitError
client = OpenAI(
base_url="https://api.fluxpool.ai/v1",
api_key="fp_your_api_key"
)
def generate_with_retry(prompt, max_retries=3):
for attempt in range(max_retries):
try:
return client.images.generate(
model="flux-1.1-pro",
prompt=prompt
)
except RateLimitError:
wait = 2 ** attempt
time.sleep(wait)
raise Exception("Rate limit exceeded after retries")
Need higher limits? Contact us for enterprise-tier rate limits and dedicated endpoints.
Security Best Practices
-
Use environment variables. Never hardcode keys in source code.
Bash
export FLUXPOOL_API_KEY=fp_your_api_key - Never expose keys client-side. API calls must originate from your server or backend, not from browsers or mobile apps.
-
Use separate keys per environment.
production,staging, anddevelopmentkeys make rotation and auditing simpler. - Rotate keys periodically. Even without a suspected compromise, rotate keys every 90 days.
- Revoke compromised keys immediately. If a key is leaked in a public repo, logs, or error message, revoke it from the Dashboard and create a new one.
- Monitor usage. Check the Dashboard for unexpected spikes in generation volume, which could indicate key compromise.
Errors
Authentication-related error responses:
| Status | Error Code | Description | Fix |
|---|---|---|---|
401 |
invalid_api_key |
The API key is missing, malformed, or revoked. | Check the key value. Ensure the Authorization: Bearer prefix is present. |
401 |
expired_api_key |
The API key has been revoked or expired. | Create a new key in the Dashboard. |
403 |
insufficient_credits |
Your account has no remaining credits. | Top up credits to continue generating. |
429 |
rate_limit_exceeded |
Too many requests in the current window. | Wait and retry with backoff. See Rate Limits. |
{
"error": {
"type": "invalid_api_key",
"message": "The API key provided is invalid or has been revoked.",
"code": 401
}
}