LearnSecurity
Overview
How Notiflows secures your integration across APIs, keys, and origins
Security
Notiflows uses a layered security model to protect your integration. Each layer serves a different purpose:
| Layer | What it does | Where to configure |
|---|---|---|
| API Keys | Identify your project and authenticate server-to-server requests | Settings → API Keys |
| Client Authentication | Verify user identity in browser requests via signed JWTs | Settings → API Keys → Client Authentication |
| Allowed Origins | Restrict which domains can make browser requests | Settings → API Keys → Allowed Origins |
Which APIs use what
| API | Authentication | Learn more |
|---|---|---|
| Admin API | API key + secret key | Admin API Reference |
| User API | API key + user token (or user ID in dev mode) | User API Reference |
Production checklist
Before going live, make sure you have:
- Security Mode enabled — so client requests require signed JWTs, not plain user IDs
- Allowed origins configured — so only your domains can call the User API from the browser
- Secret key stored securely — never in client-side code or version control
- Short-lived user tokens — set JWT expiry to 1 hour or less