Authentication Overview
FLTR provides three authentication methods designed for different use cases. Choose the method that best fits your application’s needs.Authentication Methods
API Keys
For scripts, services, and integrationsRate Limit: 1,000 req/hour
OAuth 2.1
For MCP clients and web appsRate Limit: 15,000 req/hour
Session Tokens
For web applicationsRate Limit: 15,000 req/hour
Comparison
| Feature | Anonymous | API Key | OAuth/Session |
|---|---|---|---|
| Rate Limit | 50/hour | 1,000/hour | 15,000/hour |
| Setup Difficulty | None | Easy | Moderate |
| Best For | Testing | Production services | MCP clients, web apps |
| Revocable | N/A | ✅ Yes | ✅ Yes |
| Scope Control | ❌ No | ❌ No | ✅ Yes |
| Secure | ⚠️ Limited | ✅ Yes | ✅ Yes (PKCE) |
When to Use Each Method
Anonymous Access
Use when:- Testing the API without an account
- Public datasets only
- Prototyping or demos
- 50 requests per hour
- Read-only access to public datasets
- No document uploads
- No dataset creation
API Keys
Use when:- Building backend services
- Running scheduled jobs or cron tasks
- Integrating with no-code platforms (Zapier, Make, n8n)
- Deploying production applications
- Simple to implement
- 1,000 requests per hour
- Full access to your account’s resources
- Can be rotated and revoked
API Keys Guide
Learn how to generate and manage API keys →
OAuth 2.1
Use when:- Building MCP integrations (Claude Desktop, VS Code, Cursor)
- Creating web applications with user authentication
- Need fine-grained permission scopes
- Require the highest rate limits
- 15,000 requests per hour
- PKCE flow for enhanced security
- Scope-based permissions
- Automatic token refresh
OAuth Guide
Set up OAuth 2.1 with PKCE →
Session Tokens
Use when:- Building single-page applications (SPAs)
- Creating admin dashboards
- Need browser-based authentication
- 15,000 requests per hour
- HTTP-only cookies for security
- CSRF protection built-in
- Automatic session management
Sessions Guide
Implement session-based auth →
Rate Limits
All authentication methods have hourly rate limits:Rate Limit Headers
FLTR includes rate limit information in response headers:Security Best Practices
For API Keys
Do:- ✅ Store keys in environment variables
- ✅ Use different keys for dev/staging/prod
- ✅ Rotate keys periodically (every 90 days)
- ✅ Revoke compromised keys immediately
- ✅ Use server-side code only
- ❌ Commit keys to version control
- ❌ Embed keys in client-side JavaScript
- ❌ Share keys via email or chat
- ❌ Use the same key across multiple projects
For OAuth
Do:- ✅ Always use PKCE flow
- ✅ Validate redirect URIs
- ✅ Store tokens securely (encrypted storage)
- ✅ Use HTTPS for all OAuth flows
- ✅ Implement token refresh logic
- ❌ Store tokens in localStorage (use httpOnly cookies)
- ❌ Skip state parameter validation
- ❌ Use implicit flow (deprecated)
For Sessions
Do:- ✅ Enable HTTP-only cookies
- ✅ Use SameSite=Strict or Lax
- ✅ Implement CSRF protection
- ✅ Set secure flag in production
- ✅ Use short session lifetimes
- ❌ Store sensitive data in cookies
- ❌ Accept credentials over HTTP
- ❌ Skip CSRF validation
Authentication Errors
401 Unauthorized
- Invalid or expired API key
- Missing Authorization header
- Malformed Bearer token
403 Forbidden
- OAuth scope doesn’t include required permission
- Trying to access another user’s resources
- Account suspended
429 Too Many Requests
- Wait for
retry_afterseconds - Implement exponential backoff
- Upgrade to OAuth for higher limits
- Cache frequent queries
Migration Guide
From Anonymous → API Key
- Create account at www.tryfltr.com
- Generate API key in Settings → API Keys
- Add Authorization header to all requests:
From API Key → OAuth
- Register OAuth application in dashboard
- Implement PKCE authorization flow
- Exchange authorization code for access token
- Replace API key with access token:
OAuth Implementation Guide
Complete OAuth setup instructions →