Authentication & Security
Design. Customize. Export Stunning Gradients. Secure your integrations with ChromaFlow's API.
API Key Management
Generate, rotate, and scope your project keys directly from the developer dashboard. Each key is tied to a specific workspace environment.
Navigate to Settings > Developer > API Credentials to create a new token. Assign granular permissions like gradient:read or palette:export before saving. Keys expire after 90 days of inactivity and trigger automated Slack alerts to your team channel when rotated.
Generate Production Key
Use the prod_ prefix for live exports. Enable IP whitelisting to restrict access to your CI/CD runners at 54.239.x.x.
Sandbox Testing
Switch to the staging environment with test_ keys. Mock responses return deterministic hex values for reliable UI testing.
OAuth 2.0 Integration
Enable seamless user authentication across your design tools without storing ChromaFlow credentials locally.
Initialize the authorization flow by directing users to https://auth.chromaflow.io/oauth2/authorize with your registered client ID and requested scopes. After consent, ChromaFlow redirects to your configured callback URL with an authorization code. Exchange this code for an access token at /oauth2/token using your client secret. Tokens refresh automatically every 2 hours and support PKCE for public clients.
Required Scopes
Request user:profile for basic identity data and gradient:write to programmatically save custom palettes to user libraries.
Callback Configuration
Register HTTPS endpoints in the OAuth dashboard. We validate state parameters to prevent CSRF attacks and enforce strict origin matching.
Rate Limiting Policies
Protect your applications and ours with transparent request throttling and predictive quota management.
ChromaFlow enforces a sliding window algorithm across all authenticated endpoints. Standard plans receive 120 requests per minute for read operations and 45 requests per minute for export jobs. Enterprise accounts scale to 600 RPM with dedicated burst allowances. When approaching your threshold, response headers return X-RateLimit-Remaining and Retry-After values. Implement exponential backoff in your retry logic to avoid 429 status codes.
Quota Monitoring
Track real-time consumption via the /v1/analytics/usage endpoint. Set webhook triggers at 75% and 90% utilization to alert your DevOps team.
Burst Handling
Temporary spikes up to 1.5x your base limit are permitted during peak design sprints. Sustained overages queue requests with a maximum 3-second delay.