Get Started

AI-curated footage for every creative workflow — 4K resolution, royalty-free, instant download

Read the blog →

Authentication | FrameFlow API

Secure access to the AI-Powered 4K Stock Footage Marketplace

Developer Access

API Keys

Generate and manage your project credentials directly from the FrameFlow Developer Console.

Create a New Key

Navigate to Dashboard > Settings > API Access. Click "Generate Secret" to create a v3 HMAC key. Keys follow the format `ff_live_8x9a2b...` and are scoped to specific asset tiers (Standard, Pro, Enterprise).

Key Rotation

Automatically rotate credentials every 90 days using the `/v1/auth/rotate` endpoint. Old keys remain active for 72 hours to prevent downtime during deployment cycles.

Include your key in the `Authorization: Bearer ff_live_...` header for every request. Rate limits scale with your subscription: 120 req/min for Standard, 600 req/min for Pro.

User Delegation

OAuth 2.0 Flow

Enable end-users to grant your application permission to download, license, or upload clips on their behalf.

Authorization Code Grant

Redirect users to `https://auth.frameflow.io/oauth/authorize?client_id=YOUR_ID&scope=asset:download,license:purchase`. FrameFlow handles session management and returns a short-lived authorization code to your redirect URI.

Token Exchange

POST the code to `/oauth/token` with your client secret. Receive an `access_token` (valid 1 hour) and `refresh_token` (valid 90 days). Use the refresh token to silently renew sessions without interrupting user workflows.

Supported scopes include `asset:read`, `collection:write`, `billing:read`, and `upload:manage`. Always request the minimum scope required for your integration to comply with FrameFlow's data minimization policy.

Security Standards

Best Practices

Protect your credentials and maintain compliance with FrameFlow's infrastructure requirements.

Environment Variables

Never hardcode secrets. Store `FRAMEFLOW_API_KEY` and `CLIENT_SECRET` in `.env` files or secret managers like HashiCorp Vault or AWS Secrets Manager. Restrict file permissions to `600`.

HTTPS Enforcement

All API endpoints require TLS 1.2+. FrameFlow rejects plaintext requests with a `403 Forbidden` response. Configure your load balancer to terminate SSL and forward traffic securely to your backend services.

IP Allowlisting

Restrict key usage to specific server ranges in the Developer Console. Define CIDR blocks (e.g., `203.0.113.0/24`) to prevent unauthorized access from compromised workstations or public networks.

Monitor usage via the `/v1/auth/logs` endpoint. Set up Slack or PagerDuty webhooks for anomalous activity, such as sudden spikes in 401 errors or requests originating from unregistered geolocations. FrameFlow's security team responds to incident reports within 4 hours.

Open Developer Console Read API Reference