Authentication
FlushKit uses API keys to authenticate both the Flutter SDK (SSE connection) and your server-side requests (sending notifications).
API key format
All FlushKit API keys start with fk_live_ followed by a random string:
fk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
You can create and revoke keys from the API keys tab in your project dashboard.
Authenticating SDK requests
The SDK sends the API key as a query parameter on the SSE connection. You pass it once during initialisation:
FlushbarRemote.init(
apiKey: 'fk_live_••••••••••••••••',
context: context,
);
Authenticating server requests
Include your API key as a Bearer token in the Authorization header:
curl -X POST https://api.flushkit.dev/v1/notify \
-H "Authorization: Bearer fk_live_••••••••••••••••" \
-H "Content-Type: application/json" \
-d '{ "message": "Hello!" }'
Keeping your key secure
In Flutter — never hardcode the key directly in your source code if your repository is public. Use --dart-define at build time:
FlushbarRemote.init(
apiKey: const String.fromEnvironment('FLUSHKIT_API_KEY'),
context: context,
);
Then build with:
flutter build apk --dart-define=FLUSHKIT_API_KEY=fk_live_••••••••
Never commit your API key to version control. If a key is exposed, rotate it immediately from the dashboard — the old key is revoked instantly.
On your server — store the key in an environment variable or secrets manager, not in your application code:
# .env (never commit this file)
FLUSHKIT_API_KEY=fk_live_••••••••••••••••
Key rotation
To rotate a key:
- Go to API keys in your project dashboard.
- Create a new key.
- Update your server environment variable / Flutter build configuration.
- Delete the old key.
Deleting a key immediately invalidates any existing SSE connections using it. Devices will attempt to reconnect and fail until they receive the new key via an app update or build.