REST API authentication: keys, scopes, rotation, IP allow-list
REST API authentication
DevFlow uses personal access tokens (PATs) and service-account API keys. Use a service account for CI; PATs are for humans logged in via the dashboard.
creating a service-account key
devflow service-accounts create ci-payments --scope monitor:write --scope monitor:read --scope channel:writeThe output prints the key once. Store it in your CI's secret store; you can never read it again.
available scopes
| Scope | Permits |
|---|---|
monitor:read | List + read monitors |
monitor:write | Create/update/delete monitors |
slo:read | List + read SLOs |
slo:write | Create/update/delete SLOs |
channel:read | List + read alert channels |
channel:write | Create/update/delete alert channels |
incident:read | List + read incidents |
incident:write | Acknowledge/resolve incidents |
*:read | All read scopes |
* | Everything (avoid; use scoped keys) |
using the key
curl -H "Authorization: Bearer df_pat_xxx" https://api.devflow.io/v1/monitorsThe CLI reads $DEVFLOW_API_KEY automatically.
IP allow-list
Service-account keys can be restricted to a list of IP CIDRs:
devflow service-accounts allow-ip ci-payments --cidr 203.0.113.0/24A request from outside the allow-list returns 401 with request_id.
rotation
devflow service-accounts rotate ci-paymentsThis issues a new key, marks the old one for revocation 48 hours later. Both work during the overlap. Use the overlap to push the new key to your CI without downtime. The whole flow is in variables-and-secrets.
audit
Every key creation, scope change, IP allow-list change, and rotation is in the audit log, retained 365 days. PATs work the same way; see Settings → Audit.