EngineeringAPI Reference
Authentication
All FlexRate API endpoints require a shared bearer token passed in the Authorization header.
Bearer Token
Every request must include an Authorization header:
Authorization: Bearer <FLEXRATE_INTERNAL_TOKEN>The token value is set in the server's .env file under FLEXRATE_INTERNAL_TOKEN. It is compared server-side using a constant-time equality check (hash_equals) to prevent timing attacks.
Error Responses
A missing or invalid token returns 401 Unauthorized:
{ "message": "Unauthorized" }Security Notes
- The token is not user-scoped — it grants access to all endpoints on behalf of any server that holds it.
- Rotate the token by updating
FLEXRATE_INTERNAL_TOKENin.envand restarting the application. No migrations required. - Do not expose this token to browser-side JavaScript. All calls must originate from a trusted server context.
- The middleware is fail-closed: if
FLEXRATE_INTERNAL_TOKENis empty or unset, all requests are rejected.