Public API
Getting Started
Authentication
Use Bearer API keys issued from the workspace. Respect per-key permissions and rate-limit headers.
Base route
https://api.filemorf.com/api/public
Auth
Bearer API key created from the workspace.
Delivery model
Signed uploads, queued jobs, retained artifacts, refreshable URLs.
Bearer Auth
Every request uses a Bearer API key
Send the raw API key in the Authorization header. FileMorf resolves the key to its owner, permissions, and per-key rate limits.
| Header | Required | Purpose |
|---|---|---|
| Authorization: Bearer fm_live_... | Yes | Authenticates the request. |
| Content-Type: application/json | POST JSON only | Used for JSON request bodies. |
| Idempotency-Key: <unique value> | Recommended on writes | Makes create calls retry-safe. |
Permissions
Permissions are enforced per key
The public API checks the key before the route logic runs. Keys without the required permission receive 403 responses.
- jobs.read gates list and read routes, including recipe-run reads and URL refresh.
- jobs.write gates job creation, merge creation, recipe creation, and recipe runs.
- Plan features still apply after permission checks. A valid key cannot bypass plan entitlements.
Operational guidance
Handle keys like production credentials
The key secret is only shown once at creation time. Build your integration around least privilege and fast rotation.
- Keep keys in a secret manager or deployment environment, not in frontend bundles.
- Rotate any key that appears in support tickets, screenshots, terminal recordings, or chat transcripts.
- Prefer one key per integration surface so rate limits and revocation are scoped cleanly.