The Flightline API authenticates requests with organization-scoped API
keys. Each key belongs to exactly one organization and can only access
that organization’s reviews.
Using a key
Send the key as a Bearer token on every request:
curl https://api.flightlinehq.com/v1/reviews \
-H "Authorization: Bearer fl_live_xxxxxxxxxxxxxxxxxxxx" \
-F "review_type=mortgage_v1" \
-F "documents=@full-case.zip;type=application/zip"
X-Api-Key: <key> header is accepted as an alternative to the
Authorization header.
Getting a key
API keys are issued per organization from your Flightline dashboard. Keys
can be named, rotated, and revoked at any time; a revoked key stops working
immediately.
Treat API keys like passwords. Store them in a secret manager, never in
source control or client-side code. If a key is exposed, revoke it from the
dashboard and issue a new one.
Errors
| Status | Meaning |
|---|
401 Unauthorized | Missing, malformed, revoked, or invalid key. |
403 Forbidden | The key is valid but not bound to an organization. |
404 Not Found | The review exists but not under your organization, or does not exist. |
404 is returned (rather than 403) when you request a review that
belongs to another organization, so the API never confirms the existence of
resources outside your tenant. 