Authentication

The FloatMessage API uses personal API keys. Every request to /api/v1 and the /api/mcp server must include your key as a Bearer token.

Creating & managing keys

Manage keys under Account → API Keys. You can create multiple named keys (one per integration) and revoke any of them instantly. The full token is displayed once at creation - store it somewhere safe; we only keep a hash and can never show it again.

Sending the token

curl https://floatmessage.com/api/v1/me \
  -H "Authorization: Bearer fm_live_YOUR_KEY"

A missing or invalid key returns 401:

{ "error": { "code": "unauthorized", "message": "Missing or invalid API key." } }

Security model

• Keys are stored as a SHA-256 hash. The plaintext never touches our database after creation.
• A key grants the same access as the account that owns it, scoped per request to a single domain. Treat it like a password.
• Because authentication is a header token (not a cookie), the API has no CSRF surface and allows cross-origin requests. Never embed a key in client-side browser code that ships to visitors.
• Revoke a key the moment it might be exposed - it stops working immediately.

Plan access

All plans (including Free) can use the API. Creating resources is subject to the same plan limits and trial rules as the dashboard - for example, an expired trial returns 403 trial_expired on writes, and per-plan caps return 403 plan_limit.