API Keys
Manage your FlowSearch API keys and understand key types.
Key Types
FlowSearch uses two types of API keys:
Search Key
fs_pk_...Public key for frontend use. Only allows search operations.
- ✓ Safe to expose in browser
- ✓ Can be used in client-side code
- ✗ Cannot manage website settings
Admin Key
fs_sk_...Secret key for backend use. Full API access.
- ✗ Never expose publicly
- ✓ Use only in server-side code
- ✓ Can manage all settings
Security Warning
Never expose your Admin Key (fs_sk_...) in frontend code, public repositories, or client-side JavaScript. It grants full access to your account.
Getting Your API Keys
- Log in to your FlowSearch dashboard
- Select your website
- Click the "Integration" tab
- Your Search Key is displayed and ready to copy
- Admin Keys can be viewed/created in the security section
Using Your Search Key
The Search Key is used in the Search Bar Script (all pages). Place this script in Webflow Site Settings → Custom Code → Head Code.
<script
src="https://www.flowsearch.io/widget.js"
data-key="fs_pk_xxxxxxxxxxxxxxxxxxxx"
data-results-page="/search-results"
data-live="true">
</script>Webflow reserves the /search slug, so use /search-results or another custom slug and keep data-results-page in sync with the published page.
Origin Restrictions
Protect your Search Key by restricting which domains can use it:
- Go to your website settings
- Find the "Allowed Origins" section
- Add your domain(s):
# Example allowed origins
https://yoursite.com
https://www.yoursite.com
https://yoursite.webflow.ioRequests from other domains will be rejected, even with a valid API key.
Rate Limiting
Public Search Key requests use the website's effective plan. The search API also capsper_page by plan.
| Plan | Search requests/minute | Max per page |
|---|---|---|
| Free | 30 req/min | 10 |
| Basic | 60 req/min | 20 |
| Pro | 120 req/min | 50 |
| Business | 180 req/min | 50 |
| Enterprise | 600 req/min | 100 |
Regenerating Keys
If you suspect a key has been compromised:
- Go to your website's Integration tab
- Click "Regenerate Key"
- Update your code with the new key
- The old key is immediately invalidated
Downtime Warning
Regenerating a key immediately invalidates the old one. Make sure to update your code before regenerating to avoid search downtime.
Best Practices
For Search Keys
- Always set origin restrictions for production
- Use different keys for staging and production
- Monitor usage in your dashboard
For Admin Keys
- Never commit to version control
- Use environment variables
- Rotate regularly (every 90 days recommended)
- Use the principle of least privilege
# Store in environment variables
# .env (never commit this file!)
FLOWSEARCH_ADMIN_KEY=fs_sk_xxxxxxxxxxxxxxxxxxxx
# Access in your code
const adminKey = process.env.FLOWSEARCH_ADMIN_KEY;Key Permissions
| Action | Search Key | Admin Key |
|---|---|---|
| Search content | ✓ | ✓ |
| AI search | ✓ | ✓ |
| View analytics | ✗ | ✓ |
| Trigger crawls | ✗ | ✓ |
| Manage settings | ✗ | ✓ |
| Upload documents | ✗ | ✓ |
API key permissions do not bypass plan entitlements. Follow-up AI conversations and External Knowledge require a paid plan, and chunked uploaded document knowledge requires Business or Enterprise.