FlexPoint Docs
EngineeringAPI Reference

Authentication

All FlexRate API endpoints require a shared bearer token passed in the Authorization header.

Bearer Token

Every request must include an Authorization header:

Authorization: Bearer <FLEXRATE_INTERNAL_TOKEN>

The token value is set in the server's .env file under FLEXRATE_INTERNAL_TOKEN. It is compared server-side using a constant-time equality check (hash_equals) to prevent timing attacks.

Error Responses

A missing or invalid token returns 401 Unauthorized:

{ "message": "Unauthorized" }

Security Notes

  • The token is not user-scoped — it grants access to all endpoints on behalf of any server that holds it.
  • Rotate the token by updating FLEXRATE_INTERNAL_TOKEN in .env and restarting the application. No migrations required.
  • Do not expose this token to browser-side JavaScript. All calls must originate from a trusted server context.
  • The middleware is fail-closed: if FLEXRATE_INTERNAL_TOKEN is empty or unset, all requests are rejected.

On this page