LogoLogo
  • Set up UserFlux
    • What is UserFlux?
  • Create an account
  • Start collecting data
  • View your data in UserFlux
  • Plan remaining implementation
  • Integration
    • Identify users
    • Send events
  • Enrich your data
  • Feature Guides
    • Insights
      • Series
      • Funnel
      • User Composition
      • Custom SQL
  • Reports
  • Segments & Computed Properties
  • Workflows
  • Destinations
  • Metrics API
  • Security
    • API Authentication
    • Trust Center
  • SDKs
    • Browser SDK
    • React SDK
    • Backend JS SDK
  • APIs
    • Profiles API
    • Events API
    • Metrics API
    • Workflow API
    • Products API
Powered by GitBook
On this page
  • 1 · Access Control by IP
  • 2. Integration  API Key Scopes
  • 2.1 Write‑Only Key
  • 2.2 Read & Write Key
  • 2.3 Allowed Profile Events
  • 3. Metrics API Security
  • 4. Best Practices
  1. Security

API Authentication

The API Settings page lets workspace admins control who can call your public endpoints and what data each key can send.

API
Purpose

Integration API

Ingest events / profile updates

Read profiles

Trigger workflows

Metrics API

Run pre‑defined metric queries or ad‑hoc SQL via HTTPS

1 · Access Control by IP

Every key supports an allow‑list:

  • Anywhere – key will work from any source IP (default).

  • Specific locations – supply one or more static IPv4/IPv6 addresses (or /32 sub‑nets).

    • Click Add IP address, enter IP and optional description, Save.

    • Remove via the red “Remove” link next to the row.

If the caller’s IP is not on the list, the request returns 403 Forbidden.

2. Integration  API Key Scopes

2.1 Write‑Only Key

Can only POST data. Ideal for frontend applications or backend collectors.

2.2 Read & Write Key

Full CRUD—needed for operations that fetch profile information.

2.3 Allowed Profile Events

Limit which profile events can be sent with this key.

Option
Behaviour

All Profile Events

No restriction.

Specific Profile Events

Toggle chips for the exact event names you wish to allow (e.g. email_verified, login). Any disallowed event will be rejected.

3. Metrics API Security

The Metrics API is authenticated using a Client Secret and API Key. You can use these to generate a short-lived Access Token which can then be used for subsequent calls to the API.

Never use the Metrics API directly on the frontend. Always proxy the data you are after via your backend so that you do not expose the API Keys.

Setting
Description

Cache TTL (minutes)

Server‑side cache for query results (min 5 min). Increase to reduce database load in dashboards.

Access Control

Same “Anywhere / Specific locations” IP allow‑list as above. Only one key exists for Metrics API.

4. Best Practices

  • Use the Integration APIs Read & Write Key on your backend for user events tracking associated with key business reporting or workflow triggers

  • For any integration on the frontend, use only the Write-Only Key

  • Scope user events on public keys to the absolute minimum

  • Never use the Metrics API directly on the frontend. Always proxy the data you are after via your backend so that you do not expose the API Keys

  • Limit IP Access for the Integration API Read & Write Key as well as the Metrics API

PreviousMetrics APINextTrust Center

Last updated 1 month ago