Professional color gradients for modern developers. Generate, secure, and manage your access credentials with enterprise-grade standards.
Generate API Key View Security DocsGenerate your secret keys through the developer dashboard and implement them securely across your frontend and backend services.
Navigate to Settings > Credentials in your ColorFlow dashboard. Click "Create New Key" and assign a descriptive label like "production-app-v2". Your secret token, prefixed with cf_sk_, will appear exactly once. Store it immediately in your environment variables.
For applications requiring user-specific palette access, implement our OAuth 2.0 flow. Register your redirect URI (e.g., https://app.yourdomain.com/callback) and request the gradient.read and palette.write scopes. Tokens expire after 3600 seconds and refresh automatically.
Never embed your secret key in client-side JavaScript or public repositories. Use the cf_pk_ publishable key for browser-based preview requests, and route all mutation endpoints through a secure backend service. Rotate keys every 90 days via the dashboard.
ColorFlow enforces strict authentication protocols to safeguard your gradient assets and user data across all endpoints.
All API requests must use TLS 1.3 over HTTPS. Connections to api.colorflow.dev without valid certificates are automatically rejected. We maintain SOC 2 Type II compliance and conduct quarterly penetration tests with third-party auditors.
Webhook deliveries include a cf-signature header generated via HMAC-SHA256. Verify payloads using your endpoint's secret key before processing gradient sync events. Replay attacks are mitigated by enforcing a 300-second timestamp validity window.
Restrict API key usage to specific server ranges through the dashboard's network policies. Define CIDR blocks for your AWS us-east-1 or Azure West Europe deployments. Keys flagged for anomalous geographic patterns are automatically suspended pending review.
Optimize your integration performance by understanding throughput caps and implementing proper backoff strategies.
Free tier accounts are limited to 1,200 requests per hour, while Pro plans support up to 15,000 requests per hour. Enterprise customers receive dedicated scaling with custom limits negotiated during onboarding. Monitor your usage via the X-RateLimit-Remaining response header.
When thresholds are exceeded, endpoints return HTTP 429 Too Many Requests. Implement exponential backoff starting at 1.5 seconds, with a maximum retry interval of 30 seconds. The Retry-After header specifies the exact wait time in seconds before resuming calls.
Reduce request overhead by using the /v2/gradients/batch endpoint, which accepts up to 50 palette configurations per call. Batch requests count as a single rate limit unit and return consolidated JSON responses, improving latency for large-scale design system deployments.