Verify API key

GET /api/v1/auth/verify — confirm an API key is valid and list the appIds it can access.

GET /api/v1/auth/verify is the authenticated credential test. Call it once at workflow startup (or whenever your client needs to confirm its key) to validate the key and discover which appIds it covers.

Request

GET /api/v1/auth/verify HTTP/1.1
Host: privacyflow.app
Authorization: Bearer pf_live_your_key_here

Auth required. Accepts any of the three header methods subject to your credential’s type — see Authentication.

curl

curl -s https://privacyflow.app/api/v1/auth/verify \
  -H "Authorization: Bearer $PRIVACYFLOW_API_KEY"

Response

200 OK:

{
  "valid": true,
  "appIds": ["app_123", "app_456"]
}

Schema

FieldTypeNotes
validbooleanAlways true on a 200. The key was recognized and is not associated with an empty appIds list.
appIdsstring[]Every appId this key may poll and send from. Use these values as the appId field in POST /api/v1/messages/send.

Status codes

CodeWhen
200Key is valid and has at least one appId mapped.
401Missing key header, no key header matches the credential type, the key wasn’t found, or the key was found but has no appIds mapped.
429Rate-limited — rare; this endpoint is uncapped in practice but the limiter applies.
503Backend lookup failed (key store unreachable).

Why a key with no appIds fails

A credential object always carries appIds[]. If the dashboard maps out every appId for a key (e.g., you deleted the app the credential was scoped to), the API looks up the key successfully but returns:

HTTP/1.1 401 Unauthorized
{ "error": "API key not associated with any apps" }

Re-issue the credential from the dashboard Credentials section, scoped to at least one existing app.

Client-side verification

The n8n community node uses this endpoint as its credential test: n8n pings /auth/verify when you click “Test connection” in the credential editor. The MCP server exposes it as the privacyflow_verify_api_key tool so the LLM can sanity-check its config without burning a poll budget.

Tip

Call /auth/verify once when your automation starts — its response tells you exactly which appIds you may use for send, and you can cache the result for the process lifetime. The result is stable until you re-issue or revoke the credential.

Last updated: