Verify API key
GET /api/v1/auth/verify — confirm an API key is valid and list the appIds it can access.
GET /api/v1/auth/verify is the authenticated credential test. Call it once at workflow startup (or whenever your client needs to confirm its key) to validate the key and discover which appIds it covers.
Request
GET /api/v1/auth/verify HTTP/1.1
Host: privacyflow.app
Authorization: Bearer pf_live_your_key_here
Auth required. Accepts any of the three header methods subject to your credential’s type — see Authentication.
curl
curl -s https://privacyflow.app/api/v1/auth/verify \
-H "Authorization: Bearer $PRIVACYFLOW_API_KEY"
Response
200 OK:
{
"valid": true,
"appIds": ["app_123", "app_456"]
}
Schema
| Field | Type | Notes |
|---|---|---|
valid | boolean | Always true on a 200. The key was recognized and is not associated with an empty appIds list. |
appIds | string[] | Every appId this key may poll and send from. Use these values as the appId field in POST /api/v1/messages/send. |
Status codes
| Code | When |
|---|---|
200 | Key is valid and has at least one appId mapped. |
401 | Missing key header, no key header matches the credential type, the key wasn’t found, or the key was found but has no appIds mapped. |
429 | Rate-limited — rare; this endpoint is uncapped in practice but the limiter applies. |
503 | Backend lookup failed (key store unreachable). |
Why a key with no appIds fails
A credential object always carries appIds[]. If the dashboard maps out every appId for a key (e.g., you deleted the app the credential was scoped to), the API looks up the key successfully but returns:
HTTP/1.1 401 Unauthorized
{ "error": "API key not associated with any apps" }
Re-issue the credential from the dashboard Credentials section, scoped to at least one existing app.
Client-side verification
The n8n community node uses this endpoint as its credential test: n8n pings /auth/verify when you click “Test connection” in the credential editor. The MCP server exposes it as the privacyflow_verify_api_key tool so the LLM can sanity-check its config without burning a poll budget.
Tip
Call /auth/verify once when your automation starts — its response tells you exactly which appIds you may use for send, and you can cache the result for the process lifetime. The result is stable until you re-issue or revoke the credential.