Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.qflowhub.io/llms.txt

Use this file to discover all available pages before exploring further.

Every request to api.qflowhub.io requires two headers: 
Authorization:              Bearer <access_token>
Ocp-Apim-Subscription-Key:  <subscription_key>
These authenticate two different things:
CredentialWhat it identifiesHow to get it
Bearer tokenThe Qflow user making the requestOAuth flow against identity.qflowhub.io (below)
Subscription keyYour APIM subscription / billable accountSent in your welcome email when access is enabled
Calls missing either header are rejected at the API gateway before reaching the backend.

Bearer tokens

OAuth 2.0 access tokens issued by Qflow’s identity server.

Resource Owner password flow (your own account)

If you’re integrating against your own Qflow account, the simplest flow: 
curl -X POST 'https://identity.qflowhub.io/core/connect/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=password' \
  -d 'client_id=<your-client-id>' \
  -d 'client_secret=<your-client-secret>' \
  -d 'scope=qflowapi+openid+offline_access' \
  -d 'username=<enterprise_pin>/<email>' \
  -d 'password=<password>'
Response: 
{
  "access_token":  "c6102720a52dbd822e24d567b002160c",
  "expires_in":    3600,
  "token_type":    "Bearer",
  "refresh_token": "2573de01ab1b8a1d0bb3b1ac4dd0b3ca"
}
Username format: if you’re an enterprise customer, prepend your enterprise PIN with a slash: enterprise_pin/joe.bloggs@example.com. Non-enterprise users just use the email.

Refresh tokens

When your access token expires (after 1 hour), use the refresh token to get a new one without re-prompting for credentials: 
curl -X POST 'https://identity.qflowhub.io/core/connect/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=refresh_token' \
  -d 'client_id=<your-client-id>' \
  -d 'client_secret=<your-client-secret>' \
  -d 'refresh_token=<refresh_token>'
Response: a fresh access_token and a new refresh_token.
  • Refresh tokens are single-use. Each refresh returns a new refresh token; the old one stops working.
  • Because we use offline_access scope, refresh tokens don’t expire unless explicitly revoked.
  • Store refresh tokens like passwords — they’re long-lived credentials.

Authorization Code flow (3rd-party integrations)

If you’re building an app that signs in other Qflow users (not your own account), use the standard OAuth 2.0 Authorization Code flow against the same identity server. Contact support@qflowhub.io for client registration if your use case requires this.

Subscription keys

Your subscription key (Ocp-Apim-Subscription-Key) identifies your APIM subscription and is required on every API call.

Where to get it

Your subscription key is sent in the welcome email when your account is enabled for API access. If you don’t have the email, contact support@qflowhub.io.

Using it

Send as an HTTP header on every request: 
Ocp-Apim-Subscription-Key: 1f7105f7f98843d9bb6abdf1fb8c027e
A typical authenticated request looks like: 
curl -X POST 'https://api.qflowhub.io/checkin/v1/api/event' \
  -H 'Authorization: Bearer <access_token>' \
  -H 'Ocp-Apim-Subscription-Key: <subscription_key>' \
  -H 'Content-Type: application/json' \
  -d '{ ... }'
Treat your subscription key like a password. Don’t commit it to source control, log it, or expose it in client-side code. If compromised, contact support to rotate.

Comms API access (allow-list)

The Comms API endpoints (/comms/v1/api/comms/* and the commsTemplateId parameter on POST /checkin/v1/api/guest) are additionally restricted to enabled accounts. Allow-list access is granted in two ways:
  • Per-user — your specific user GUID is allow-listed
  • Per-enterprise — your enterprise pin is allow-listed (covers all users in the enterprise)
Check whether your account has Comms access: 
curl -X GET 'https://api.qflowhub.io/comms/v1/api/comms/templates?eventId=<your-event>' \
  -H 'Authorization: Bearer <token>' \
  -H 'Ocp-Apim-Subscription-Key: <subscription_key>'
ResponseMeaning
200 OKComms API access is enabled
403 comms_api_not_enabledNot enabled — request access via support

Trust gate

In addition to allow-listing, sending operations that trigger an actual email require your account to be verified (KYC complete). Unverified accounts get 403 trust_required when attempting to send. Visit qflowhub.io/manage to complete verification.