Skip to main content

Documentation Index

Fetch the complete documentation index at: https://segmentflow.ai/docs/llms.txt

Use this file to discover all available pages before exploring further.

Minting a key

  1. Sign in at dashboard.segmentflow.ai.
  2. Open Settings → API Keys.
  3. Click Create API key, give it a label (e.g. production-zapier), and pick the scopes it needs.
  4. Copy the key — it’s shown once, never again. Store it in your secrets manager.

Using the key

Send the key on every request as the x-api-key header: 
curl https://api.segmentflow.ai/api/v1/public/templates \
  -H "x-api-key: sk_live_..."
A missing or invalid key returns 401 Unauthorized. A valid key without the required scope returns 403 Forbidden.

Scopes

Each key carries a fixed set of scopes. The dashboard scope picker lists every available scope; the most common ones are:
ScopeResourceDescription
journeys:triggerJourneysTrigger an API-entry journey
journeys:readJourneysRead journey run status
templates:readTemplatesList and read email templates
segments:readSegmentsList segments and run audience previews
assets:writeAssetsMint presigned uploads and finalize asset rows
brand-kit:readBrand kitRead brand kits
broadcasts:createBroadcastsOne-shot broadcast create+send (legacy)
broadcasts:prepareBroadcastsBuild a broadcast dry-run
broadcasts:sendBroadcastsRedeem a prepared send
broadcasts:cancelBroadcastsCancel an in-flight broadcast
broadcasts:readBroadcastsRead broadcast status

The allowSends flag

Sending a broadcast is destructive. To prevent agent or automation tooling from triggering sends accidentally, every key carries a separate allowSends flag in its metadata. The flag is off by default. Endpoints that actually fire bytes — currently POST /broadcasts/send-prepared — require both the broadcasts:send scope and allowSends=true on the key. A key with the scope but not the flag returns 403 send_not_allowed. Mint read-only keys for tools that should never send (analytics dashboards, BI exports, AI drafting agents). Mint a separate send-enabled key for the workflow that actually triggers broadcasts.

Rotating and revoking keys

Keys never expire automatically — rotate on a schedule that matches your security policy. Revoke a leaked key from Settings → API Keys → Revoke. Revocation takes effect within seconds; in-flight requests on a revoked key complete, but the next request returns 401.

Idempotency

Destructive endpoints accept an Idempotency-Key header. Send the same key with the same body to safely retry — the server replays the original response instead of acting twice. Currently honored on:
  • POST /api/v1/public/broadcasts
  • POST /api/v1/public/broadcasts/prepare
  • POST /api/v1/public/broadcasts/{id}/cancel
  • POST /api/v1/public/journeys/{id}/trigger
Keys live for 24 hours. Reusing an Idempotency-Key with a different body returns 422 idempotency_key_reuse.