Authentication
Every API request must include a valid user API key. Public API endpoints do not use browser sessions or cookies.
Auth Checklist
Generate a key from Settings -> API Keys.
Send the key on every request using `Authorization: Bearer ...` (recommended) or `X-API-Key`.
If both headers are present, keep values identical to avoid confusion.
Treat keys like passwords: never expose them in frontend code or public repos.
After rotating/revoking a key, old requests signed with that key will fail immediately.
Send the key on every request using `Authorization: Bearer ...` (recommended) or `X-API-Key`.
If both headers are present, keep values identical to avoid confusion.
Treat keys like passwords: never expose them in frontend code or public repos.
After rotating/revoking a key, old requests signed with that key will fail immediately.
Headers
Use one of these headers. Bearer token format is preferred for server-to-server integrations.
Authorization: Bearer fm_live_your_api_key
X-API-Key: fm_live_your_api_keyCommon Authentication Failures
Typical causes and how to fix them quickly.
401 Unauthorized
- Missing API key header
- Invalid or revoked key
- Key belongs to another environment
403 Forbidden
- Account is inactive/suspended
Fix flow
1) Confirm header is sent on the request you debug.
2) Verify key is active in Settings -> API Keys.
3) Retry with a newly created key if needed.