Developer Documentation
Authentication — API Keys & OAuth
Secure your integration with IconFlow's API. Generate API keys, configure OAuth 2.0 flows, and follow industry-standard security practices to protect your icon assets.
Step 1
API Key Authentication
API keys provide the simplest way to authenticate your application with the IconFlow API. Each key is tied to your account and can be scoped to specific permissions.
Read-Only Keys
Use read-only keys for frontend applications that only need to fetch icon metadata, preview URLs, and public pack listings. These keys cannot modify any resources.
Write Keys
Write keys allow your application to upload custom icon packs, modify collection settings, and manage team permissions. Keep these on your server only.
Admin Keys
Full-access keys for account administration. These can manage billing, team members, and all API resources. Recommended for CI/CD pipelines only.
Generating Your First Key
Navigate to Dashboard → Settings → API Keys and click Create New Key. Select the appropriate scope, give your key a descriptive name (e.g., "Production CDN Reader"), and confirm. Your key will be displayed once — store it securely.
// Include your API key in the Authorization header
curl -X GET "https://api.iconflow.dev/v2/packs" \
-H "Authorization: Bearer ifk_live_8xK2mN9pQr4vT7wL" \
-H "Content-Type: application/json"Note: Live keys (prefixed with ifk_live_) access production data. Test keys (ifk_test_) operate against our sandbox environment with sample icon packs. Never commit live keys to version control.
Key Scopes & Permissions
| Scope | Endpoint Access | Use Case |
|---|---|---|
packs:read |
GET /v2/packs, GET /v2/icons | Browsing and searching icon libraries |
packs:write |
POST/PUT/DELETE /v2/packs | Uploading and managing custom packs |
downloads:read |
GET /v2/downloads | Fetching licensed icon assets |
team:manage |
GET/POST /v2/team/members | Inviting and removing team members |
billing:read |
GET /v2/billing/* | Viewing usage analytics and invoices |
Step 2
OAuth 2.0 Authentication
For applications that act on behalf of individual users, implement OAuth 2.0 using the Authorization Code flow with PKCE. This lets your users grant your app access to their IconFlow account without sharing credentials.
Register Your Application
Go to Dashboard → Settings → OAuth Applications and click Register New Application. Provide these details:
- Application Name: e.g., "PixelForge Design Tool"
- Redirect URI: e.g.,
https://pixelforge.design/callback/iconflow - Scopes: Select only the permissions your app needs
After registration, you'll receive a Client ID (e.g., cf_9aB3dE7fGh2iJk). This identifier is public-safe and can be embedded in client-side code.
Authorization Request
Redirect the user to IconFlow's authorization endpoint. Include your client ID, redirect URI, a cryptographically random code_challenge, and the requested scopes.
https://auth.iconflow.dev/oauth/authorize?
response_type=code&
client_id=cf_9aB3dE7fGh2iJk&
redirect_uri=https://pixelforge.design/callback/iconflow&
scope=packs:read+downloads:read&
state=xL8mQ2pR5tY9wN&
code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&
code_challenge_method=S256Tip: Always generate a unique state parameter for each authorization request and validate it upon return to prevent CSRF attacks.
Exchange Authorization Code for Token
After the user authorizes your application, IconFlow redirects back to your redirect URI with an authorization code. Exchange this code for an access token by making a server-to-server POST request:
curl -X POST "https://auth.iconflow.dev/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "client_id=cf_9aB3dE7fGh2iJk" \
-d "code=AUTH_CODE_FROM_REDIRECT" \
-d "redirect_uri=https://pixelforge.design/callback/iconflow" \
-d "code_verifier=D2o1jQ8n7K3mR5pT9wL4xY6zA0bC"
// Response:
{
"access_token": "iat_eyJhbGciOiJSUzI1NiJ9...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "irt_8xK2mN9pQr4vT7wL...",
"scope": "packs:read downloads:read"
}Refreshing Access Tokens
Access tokens expire after 1 hour. Use the refresh token to obtain a new access token without requiring the user to re-authorize:
curl -X POST "https://auth.iconflow.dev/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token" \
-d "client_id=cf_9aB3dE7fGh2iJk" \
-d "refresh_token=irt_8xK2mN9pQr4vT7wL..."Refresh tokens are long-lived (90 days by default) but can be revoked by the user at any time from their IconFlow account settings under Connected Applications.
Step 3
Security Best Practices
Follow these guidelines to keep your IconFlow integration secure and your icon assets protected from unauthorized access.
Never Expose Write Keys Client-Side
Write and admin keys must only exist in server-side environments. Frontend applications should use read-only keys or OAuth flows. If a write key is compromised, rotate it immediately from the API Keys dashboard.
Rotate Keys on a Schedule
Set a calendar reminder to rotate API keys every 90 days. Maintain at least two active keys at a time so you can deactivate the old key after verifying the new one works across all your services.
Use Environment Variables
Store API keys in environment variables or a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault, or Doppler). Never hardcode credentials in source files, configuration files, or Docker images.
Monitor Usage Anomalies
Enable usage alerts in your dashboard. If you see a sudden spike in API calls — for example, 50,000 requests in an hour when your average is 2,000 — investigate immediately and consider temporarily suspending the key.
Validate Redirect URIs
When configuring OAuth applications, whitelist only the exact redirect URIs your application uses. Avoid wildcard patterns like https://*.pixelforge.design to prevent open redirect attacks.
Implement PKCE for Public Clients
Single-page applications and mobile apps must use PKCE (Proof Key for Code Exchange). This prevents authorization code interception attacks by binding the token request to the initial authorization request.
Rate Limits: All authenticated requests are subject to rate limiting. Read-only keys receive 1,000 requests per minute. Write and admin keys receive 200 requests per minute. OAuth access tokens inherit the scope-based limits of the granting user's plan. Monitor the X-RateLimit-Remaining header in API responses.
Error Responses
When authentication fails, the IconFlow API returns standard HTTP status codes:
| Status | Meaning | Action |
|---|---|---|
401 Unauthorized |
Missing, expired, or invalid credentials | Verify your key or re-authorize via OAuth |
403 Forbidden |
Valid credentials but insufficient scope | Request additional scopes or use a higher-privilege key |
429 Too Many Requests |
Rate limit exceeded | Wait for the window to reset; implement exponential backoff |
99.97%
Auth endpoint uptime (2024)
1,200+
Registered OAuth applications
256-bit
TLS encryption on all endpoints
<50ms
Average token validation time