Authentication
Most FunnelFlux Pro API requests authenticate with a bearer access token:
Code
An initial access token and refresh token can be sourced in our app -- just log in and navigate to the settings > API Access section.
Note that these are provided on demand and are not saved in the UI -- you should save them securely on your own, outside of FunnelFlux.
For endpoint-level details, see the Authentication API reference.
Access and Refresh Tokens
Access tokens are temporary tokens with a 72-hour expiry. They are used in the Authorization header for API requests.
Refresh tokens are long-lived and are used to reissue an access token when it has expired. A user can create many refresh tokens, but after 100 any older ones will be invalidated. Users should avoid excessively generating these and should instead store a single refresh token and use it to regenerate access tokens every 72 hours.
If you suspect an access or refresh token has been compromised, contact FunnelFlux support. We can invalidate login sessions and tokens; there is not currently a UI feature for manually invalidating API tokens.
Revalidating access tokens
When an access token expires, you may receive a 400 bad request or 401 unauthorized response. You can either react to that response or refresh the token before expiry.
A query to the /v1/auth/validate API must contain a valid Authorization: Bearer TOKEN header. However, this token can be expired.
If it is expired, and refresh_token is provided in the request body, a new access token will be issued and returned in the response.
Here is an example cURL request for revalidation:
Code
You can store this access token and its expiry, then use that expiry to programmatically reissue an access token if needed.
You can also query /v1/auth/validate at the start of periodic jobs, passing your access token in headers and refresh token in the request body, to automatically check and reissue if needed.
For higher-volume integrations, manage expiry internally and only request a new access token when needed.
API Keys
Some ledger and reporting endpoints also document API key authentication. Prefer bearer access tokens for normal user API integrations unless your FunnelFlux contact has specifically instructed you to use an API key flow.