Authentication
The three header methods PrivacyFlow accepts and which credential type allows which, with a curl example for each.
Every authenticated PrivacyFlow request carries one API key in one of three HTTP headers. The header you’re allowed to use is determined by the credential type the dashboard issued. This page is the full matrix.
The three header methods
The API reads the key from one of three locations, in priority order. If more than one is present, the first match wins.
| Priority | Header | Format |
|---|---|---|
| 1 | Authorization | Bearer <key> |
| 2 | X-API-Key | <key> (raw header value) |
| 3 | X-Webhook-Token | <key> (raw header value) |
Which credential types allow which headers
The credential type (set when the dashboard creates it) restricts which of those headers you may send. Send the wrong one and you get 401 Unauthorized.
| Credential type | Authorization: Bearer | X-API-Key | X-Webhook-Token |
|---|---|---|---|
api-key | ✅ | ✅ | ❌ |
webhook-bearer | ✅ | ❌ | ❌ |
webhook-header | ❌ | ❌ | ✅ |
If a key has no type recorded, the API treats it as api-key for backwards compatibility — so existing keys keep working.
Note
The api-key type deliberately accepts both Bearer and X-API-Key so you can use whichever is more ergonomic in your HTTP client. Most automation tools prefer Authorization: Bearer.
How to choose
- Default to
api-key. Issue it from the dashboard Credentials section. UseAuthorization: Bearer <key>for any HTTP client and you’re done. - Use
webhook-beareronly when you’re configuring inbound webhook delivery to a receiver that speaks Bearer natively. The key can still poll and send over Bearer, so it doubles as a test credential. - Use
webhook-headeronly when your receiver is a service that needs a dedicated header (e.g., some n8n webhook auth schemes). It can only authenticate viaX-Webhook-Token; it cannot useBearer.
curl examples — all three methods, all three types
api-key via Bearer
curl "$PRIVACYFLOW_BASE_URL/api/v1/auth/verify" \
-H "Authorization: Bearer $PRIVACYFLOW_API_KEY"
api-key via X-API-Key
curl "$PRIVACYFLOW_BASE_URL/api/v1/auth/verify" \
-H "X-API-Key: $PRIVACYFLOW_API_KEY"
webhook-bearer (Bearer only)
curl "$PRIVACYFLOW_BASE_URL/api/v1/auth/verify" \
-H "Authorization: Bearer $PRIVACYFLOW_API_KEY"
webhook-header (X-Webhook-Token only)
curl "$PRIVACYFLOW_BASE_URL/api/v1/auth/verify" \
-H "X-Webhook-Token: $PRIVACYFLOW_API_KEY"
What happens on a mismatch
Sending a header your credential type doesn’t allow returns:
HTTP/1.1 401 Unauthorized
{ "error": "Authentication method not allowed for this credential type" }
Sending any of the three headers with an invalid key returns:
401 Unauthorizedon/api/v1/auth/verify403 Forbiddenon/api/v1/messages/polland/api/v1/messages/send
The intentional 401-vs-403 split lets you distinguish “wrong header method” (a config bug) from “wrong key” (a secret bug) in your logs. See errors and limits for the full status table.
Rotating and revoking keys
The dashboard Credentials section lets you replace or delete a key. Replacing keeps the same credentialId, so rate-limit buckets and any webhook auth configured against the key keep working; only the key string changes. Deleting frees the credentialId immediately.
Tip
Issue one credential per integration. If the n8n node’s key rotates, the MCP server keeps working — they’re independent credentials with independent rate budgets.