Authentication
All API endpoints require authentication via a Bearer token in the Authorization header.
Using your API key
Include the key in every request:
curl https://app.galaxy.ai/api/v1/workflows \
-H "Authorization: Bearer gx_your_api_key"
gx_ prefix. You can create and manage keys from the GalaxyAI dashboard.
Managing API Keys
You can create up to 10 API keys per account. Each key has a unique label to help you organize keys by purpose (e.g. “Production”, “Staging”, “CI/CD”).
Creating a key
- Open the GalaxyAI Flow dashboard
- Click the API Keys button in the top-right corner
- Enter a label (e.g. “Production”) and click Create Key
- Optionally set an expiration date
- Copy the full key immediately — it’s only shown once
The full API key is only displayed at creation time. Store it securely. If you
lose it, revoke the key and create a new one.
Key properties
| Property | Description |
|---|
| Label | A unique name for this key (editable anytime) |
| Prefix | The visible gx_... prefix shown in the dashboard |
| Rate limit (per minute) | Max requests per minute for this key (default: 60) |
| Rate limit (per day) | Max requests per day for this key (default: 1000) |
| Expires at | Optional expiration date — key stops working after this date |
| Created at | When the key was created |
Editing a key
You can update a key’s label or rate limits at any time from the dashboard. Click the pencil icon next to any key to edit.
Revoking a key
Click the revoke button next to any key. Revocation is immediate — any requests using that key will start returning 401 Unauthorized.
Revoking a key does not affect other keys on your account. Your other keys
continue working normally.
Key Expiration
You can optionally set an expiration date when creating a key. After the expiration date passes:
- The key is automatically invalidated by the system
- API requests using the key will return
401 Unauthorized
- The key shows an “Expired” badge in the dashboard
- You can revoke expired keys to clean up your key list
Use expiration dates for temporary integrations, CI/CD pipelines, or
contractor access. For long-lived production keys, leave the expiration empty.
Rate Limits
Each API key has its own rate limits that you can configure:
| Limit | Default | Range |
|---|
| Per minute | 60 requests | 1 – 10,000 |
| Per day | 1,000 requests | 1 – 100,000 |
429 Too Many Requests response with a Retry-After header:
{
"error": "Rate limit exceeded. Please try again later."
}
| Header | Description |
|---|
X-RateLimit-Remaining | Requests remaining in the current window |
X-RateLimit-Reset | Timestamp (ms) when the rate limit resets |
Retry-After | Seconds to wait before retrying (on 429 responses) |
Use exponential backoff when retrying after a 429 response. If you
consistently hit limits, increase the rate limits for that key in the
dashboard or create separate keys for different services.
Error Responses
| Status | Meaning |
|---|
401 | Missing, invalid, revoked, or expired API key |
429 | Rate limit exceeded |
{
"error": "Invalid or expired API key."
}
