API Keys

Some integrations and services authenticate with API keys instead of OAuth. TogoFlow supports API keys at both the organization level and per-node.

Organization API keys

Manage keys in Settings → API Keys:

1. Click Create API Key.
2. Give it a name and optional description.
3. Copy the key immediately — it's only shown once.
4. Use this key to authenticate external calls to your TogoFlow workflows (webhook authentication, public API access).

Organization API keys have scopes and optional expiration dates. Revoke keys you no longer need.

AI provider keys

AI nodes need a key from your chosen provider:

Add your key in Settings → Agent (organization default) or directly in the AI node's configuration panel.

App integration keys

These apps use API key authentication:

Enter the key when configuring the Action node, or store it as a workflow variable:

1. Add a variable: stripeSecretKey = sk_live_...
2. Reference it in the Action node fields (if the app supports variable references)
3. Or use an HTTP Request node: Authorization: Bearer {{variables.stripeSecretKey}}

Workflow variables for secrets

Store sensitive values as workflow variables instead of hardcoding them in node fields:

Reference with {{variables.weatherApiKey}} in HTTP URLs, headers, or Function node code.

HTTP Request authentication

For APIs without a dedicated integration, use the HTTP Request node:

Headers:
  Authorization: Bearer {{variables.apiToken}}
  X-API-Key: {{variables.serviceKey}}

Or append to the URL:

https://api.example.com/data?api_key={{variables.apiKey}}

Security best practices

• Never commit API keys to version control or share them in workflow exports.
• Use workflow variables or organization settings to centralize keys.
• Rotate keys periodically and revoke unused ones.
• Use test/sandbox keys during development (e.g. Stripe sk_test_...).
• Set expiration dates on organization API keys when possible.

Troubleshooting