API Keys
API keys control who can access your directory data. Each embed on your website should use its own API key.
Why API keys?
Section titled “Why API keys?”When you embed a FieldFlow directory on your website, the embed code needs a key to fetch data from FieldFlow’s servers. Keys let you:
- Control access — revoke a key without affecting other embeds
- Restrict domains — limit which websites can use the key
- Track usage — each key has its own usage metrics
Create an API key
Section titled “Create an API key”- Go to your project’s Publish tab
- In the API Keys section, click Create API Key
- Fill in:
- Name — a label for your reference (e.g., “WordPress site”, “Webflow embed”)
- Allowed Origins — the website domains where this key can be used (optional but recommended)
- Click Create
The key will be displayed once. Copy it immediately — you’ll need it for your embed code.
Domain restrictions
Section titled “Domain restrictions”The Allowed Origins field lets you restrict which websites can use this key. Enter one or more domains:
https://mywebsite.orghttps://www.mywebsite.orgIf left empty, the key works from any domain. For production sites, we recommend setting allowed origins to prevent unauthorized use.
Key format
Section titled “Key format”FieldFlow API keys look like this:
ff_live_9d0dae2ed14dfa9bd5b69c35bd9f13ff911deb6c1e3060e9The ff_live_ prefix identifies it as a FieldFlow key. Only the first 12 characters are shown in the dashboard after creation — use Reveal Key to see the full key.
Revoking a key
Section titled “Revoking a key”To revoke a key, click the Revoke button next to it in the Publish tab. This immediately stops all embeds using that key from loading data.
Best practices
Section titled “Best practices”- Create one key per website or embed location
- Set allowed origins on all production keys
- Revoke keys you no longer use
- Never share keys publicly (they’re included in embed code but scoped to read-only access)