Credential model
Use an API key
The imported OpenAPI source defines a global API key security scheme named ApiKeyAuth. The key can be obtained from Yeeflow system settings according to the copied source documentation.
| Credential | Documented location | Preferred use |
|---|---|---|
ApiKeyAuth | apiKey header | Server-side requests from trusted code. |
Header usage
Prefer the apiKey header
Use placeholders in examples and inject the real value from server-side configuration.
curl "https://api.yeeflow.com/v1/users/search" \
-H "apiKey: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"PageIndex":1,"PageSize":20}'const response = await fetch("https://api.yeeflow.com/v1/users/search", {
method: "POST",
headers: {
"Content-Type": "application/json",
apiKey: process.env.YEEFLOW_API_KEY || "",
},
body: JSON.stringify({
PageIndex: 1,
PageSize: 20,
}),
});
const result = await response.json();Less preferred
Query-string API key usage
The copied OpenAPI source mentions passing the API key as a query parameter. Prefer the header pattern above because URLs are more likely to appear in logs, browser history, analytics tools, and shared screenshots.
Safety
Do not expose keys in browser-side JavaScript
- Keep API keys in server-side environment variables or a secret manager.
- Proxy browser requests through your own backend when a web UI needs Yeeflow data.
- Do not commit API keys to source control or paste them into support tickets.
- Rotate a key if it may have been exposed.
Yeeflow runtime
Custom Code context
The copied OpenAPI source notes that when requesting Open API from a Custom Code control on a form, you do not need to provide an API key because the form executes the API under the current user context.
Treat this as Yeeflow runtime behavior, not as a pattern for public web apps. For external integrations, keep API calls server-side and authenticated.