Authentication #

CommFlow supports multiple authentication methods for different use cases. Choose the method that best fits your integration needs.

Authentication Methods #

Method	Use Case
API Keys	Server-to-server integrations
OAuth 2.0	Apps acting on behalf of users
Personal Access Tokens	Developer/testing use

API Keys #

API keys are the simplest way to authenticate server-side applications.

Creating API Keys #

Go to Settings > API
Click Create API Key
Enter a name (e.g., "CRM Integration")
Select scopes (permissions)
Click Create
Copy the key immediately (shown only once)

Using API Keys #

Include the key in the Authorization header:

GET /v1/conversations HTTP/1.1
Host: api.commflow.io
Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxx

Or with curl:

curl -X GET "https://api.commflow.io/v1/conversations" \
  -H "Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxx"

Key Types #

Type	Prefix	Environment
Live	`sk_live_`	Production
Test	`sk_test_`	Development

Test keys:

Safe for development
Don't affect live data
Same API behavior

Key Management #

Viewing Keys:

Go to Settings > API
See all active keys
View last used date

Revoking Keys:

Find the key to revoke
Click Revoke
Confirm revocation
Key immediately stops working

Rotating Keys:

Create a new key
Update your application
Verify it works
Revoke the old key

API Key Scopes #

Limit what each key can access:

Available Scopes #

Scope	Description
conversations:read	Read conversations and messages
conversations:write	Create and update conversations
contacts:read	Read contact data
contacts:write	Create and update contacts
tickets:read	Read inbox tickets
tickets:write	Create and update tickets
users:read	Read user information
users:write	Manage users (admin)
files:read	Read files from DataFort
files:write	Upload and manage files
webhooks:manage	Manage webhook subscriptions

Scope Best Practices #

Minimal permissions - Only request what you need
Separate keys - Different keys for different purposes
Read-only default - Start with read, add write as needed

Example Scoped Key #

For a reporting integration:

Scopes: conversations:read, contacts:read, tickets:read

This key can read data but cannot modify anything.

OAuth 2.0 #

OAuth allows your app to act on behalf of users, with their permission.

When to Use OAuth #

User-facing apps - Apps that users log into
Marketplace apps - Third-party integrations
Per-user permissions - Actions attributed to users

OAuth Flow Overview #

┌────────────┐                              ┌────────────┐
│            │  1. Authorization Request    │            │
│   Your     │ ───────────────────────────> │  CommFlow  │
│   App      │                              │            │
│            │  2. Authorization Code       │            │
│            │ <─────────────────────────── │            │
│            │                              └────────────┘
│            │  3. Exchange Code for Token  ┌────────────┐
│            │ ───────────────────────────> │  CommFlow  │
│            │                              │   API      │
│            │  4. Access Token             │            │
│            │ <─────────────────────────── │            │
│            │                              │            │
│            │  5. API Requests with Token  │            │
│            │ ───────────────────────────> │            │
└────────────┘                              └────────────┘

Setting Up OAuth #

1. Create OAuth App #

Go to Settings > API > OAuth Apps
Click Create App
Enter app details:
- Name - Display name
- Redirect URI - Your callback URL
- Scopes - Required permissions
Save to get credentials

2. Get Credentials #

You'll receive:

Client ID - Public identifier
Client Secret - Keep this secret

Authorization Request #

Redirect users to authorize:

https://app.commflow.io/oauth/authorize
  ?client_id=YOUR_CLIENT_ID
  &redirect_uri=https://yourapp.com/callback
  &response_type=code
  &scope=conversations:read+contacts:read
  &state=random_state_string

Parameter	Required	Description
`client_id`	Yes	Your OAuth client ID
`redirect_uri`	Yes	Your callback URL
`response_type`	Yes	Must be `code`
`scope`	Yes	Space-separated scopes
`state`	Recommended	CSRF protection string

Authorization Response #

After user approves, they're redirected to your callback:

https://yourapp.com/callback
  ?code=AUTH_CODE_HERE
  &state=random_state_string

Exchange Code for Token #

curl -X POST "https://api.commflow.io/oauth/token" \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "authorization_code",
    "code": "AUTH_CODE_HERE",
    "redirect_uri": "https://yourapp.com/callback",
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET"
  }'

Response:

{
  "access_token": "at_xxxxxxxxxxxxxx",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "rt_xxxxxxxxxxxxxx",
  "scope": "conversations:read contacts:read"
}

Using Access Tokens #

GET /v1/conversations HTTP/1.1
Host: api.commflow.io
Authorization: Bearer at_xxxxxxxxxxxxxx

Refreshing Tokens #

Access tokens expire. Use refresh tokens to get new ones:

curl -X POST "https://api.commflow.io/oauth/token" \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "refresh_token",
    "refresh_token": "rt_xxxxxxxxxxxxxx",
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET"
  }'

Revoking Tokens #

curl -X POST "https://api.commflow.io/oauth/revoke" \
  -H "Content-Type: application/json" \
  -d '{
    "token": "at_xxxxxxxxxxxxxx",
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET"
  }'

Personal Access Tokens #

For individual developer use and testing.

Creating Personal Tokens #

Go to Settings > Account > Access Tokens
Click Generate Token
Name the token
Set expiration
Copy the token

Using Personal Tokens #

Same as API keys:

Authorization: Bearer pat_xxxxxxxxxxxxxx

Token Expiration #

Setting	Duration
7 days	Short-term testing
30 days	Development
90 days	Extended use
No expiration	Long-term (not recommended)

Security Best Practices #

Protecting Credentials #

Never expose in client code - API keys should stay server-side
Use environment variables - Don't hardcode credentials
Don't commit to version control - Add to .gitignore
Encrypt at rest - Secure storage

Example: Environment Variables #

# .env file (not committed)
COMMFLOW_API_KEY=sk_live_xxxxxxxxxx

// app.js
const apiKey = process.env.COMMFLOW_API_KEY;

Key Rotation #

Rotate keys periodically:

Create new key with same scopes
Deploy update to use new key
Verify new key works
Revoke old key
Monitor for errors

Incident Response #

If a key is compromised:

Revoke immediately - Stop unauthorized access
Audit logs - Check for unauthorized activity
Create new key - For legitimate use
Investigate - How was it exposed?
Remediate - Fix the security gap

Authentication Errors #

Common Errors #

Error	Cause	Solution
`401 Unauthorized`	Invalid/missing token	Check token is correct
`403 Forbidden`	Insufficient scope	Add required scope
`401 Token expired`	Access token expired	Refresh the token
`400 Invalid grant`	Bad OAuth code	Request new auth code

Error Response #

{
  "error": {
    "type": "authentication_error",
    "code": "invalid_api_key",
    "message": "The API key provided is invalid."
  }
}

Testing Authentication #

Verify Your Key #

curl -X GET "https://api.commflow.io/v1/me" \
  -H "Authorization: Bearer YOUR_API_KEY"

Successful response:

{
  "id": "user_123",
  "email": "you@company.com",
  "name": "Your Name",
  "workspace": {
    "id": "ws_456",
    "name": "Your Workspace"
  }
}

Test vs Live Keys #

Use test keys during development:

# Development
COMMFLOW_API_KEY=sk_test_xxxxxxxxxx
 
# Production
COMMFLOW_API_KEY=sk_live_xxxxxxxxxx

Next Steps #

API Overview - API basics
Endpoints - Full endpoint reference

Was this page helpful?