Developers
Authentication
API v1 requires a FinkMesh API token in the Authorization header. Browser sessions are not accepted for public API routes.
Authorization: Bearer fmsh_live_...
Scopes
Use the narrowest scope possible. Read scopes include workflows:read, runs:read, templates:read, connections:read, webhooks:read, workspace:read, and support:read. Controlled workflow writes use workflows:run, workflows:pause, workflows:resume, workflows:write, and workflows:publish. Outbound webhook management uses webhooks:write. All public API writes require Idempotency-Key.
Token Operations
Create
Workspace owners and admins create API tokens from dashboard settings. Tokens expire by default.
Choose scopes
Start with read scopes; add write scopes only for the exact automation being built.
Rotate
Create a replacement token, update the caller, verify last-used activity, then revoke the old token.
Revoke
Revoke tokens immediately when a device, CI secret, integration, or smoke test token may be exposed.
Ownership
Tokens are tied to the workspace and the user who created them for audit attribution. Review tokens during user offboarding.
Last used
Settings shows last-used activity so you can verify rotation, identify stale callers, and remove unused tokens.
Frontend safety
Never put API tokens in browser code, mobile apps, public repos, logs, or support tickets.