Access control¶
This page explains how access is controlled in Flotiq across users, roles, and API keys.
Access control layers¶
Flotiq access model has three layers:
- Authentication: verifies who is making the request.
- Authorization: defines what actions are allowed.
- API key scope: limits access for API integrations.
Authentication methods¶
- Panel login (standard account flow)
- Enterprise SSO
- API keys for integration traffic
See Authentication for sign-in flows.
Authorization scopes¶
Flotiq applies permissions at two role scopes:
- Organization scope: management actions like users, Spaces, and billing.
- Space scope: content actions inside an assigned Space.
See User Roles and Spaces and Organization.
API key scope¶
API keys should use the least privilege.
- Use scoped API keys for integration-specific access.
- Separate read-only and read-write use cases.
- Rotate compromised API keys immediately.
See API access & scoped keys and API key lifecycle.
Manage API keys in Panel¶
To manage API keys in the Flotiq Panel:
- Open your Space in the Dashboard.
- Go to
API Keysin the left menu. - Create, scope, regenerate, or remove keys as needed.
Use separate scoped API keys for each integration and environment.
Practical permission model¶
A common setup for production teams:
Organization Adminfor a small admin group,AdminorContent Editorat Space level for content teams,- scoped API keys per integration (frontend, automation, ETL),
- separate API keys per environment (staging, production).
Troubleshooting access issues¶
If a user or integration cannot perform an action:
- Verify selected Space context.
- Verify assigned user role at organization and Space levels.
- Verify API key type and scope.
- Verify endpoint expectations (panel action vs API action).