JustPaid Workflows
API Reference

API Authentication

How to authenticate with the JustPaid Workflows API using API keys

All API requests require authentication via an API key. Keys are scoped to a company and carry specific permissions for workflow management and execution.

API Key Format

API keys follow the format wfk_ followed by a random string:

wfk_a1b2c3d4e5f6g7h8i9j0...

Using Your API Key

Include the API key in the x-api-key header on every request:

curl https://api.justpaid.io/api/v1/workflows \
  -H "x-api-key: wfk_your_api_key_here"
const response = await fetch('https://api.justpaid.io/api/v1/workflows', {
  headers: {
    'x-api-key': process.env.JUSTPAID_API_KEY,
  },
});
import requests

response = requests.get(
    'https://api.justpaid.io/api/v1/workflows',
    headers={'x-api-key': os.environ['JUSTPAID_API_KEY']},
)

Never expose API keys in client-side code, public repositories, or browser requests. Always use environment variables or a secrets manager.

Key Permissions

ScopeDescription
workflows:readList and get workflow details
workflows:writeCreate, update, delete workflows
workflows:executeTrigger workflow runs
runs:readView run status and logs
connections:readList connections
connections:writeCreate and manage connections

Rate Limits

API requests are rate-limited per API key:

Endpoint CategoryLimit
Read operations (GET)1000 requests/minute
Write operations (POST, PUT, DELETE)200 requests/minute
Workflow execution500 requests/minute

When rate limited, the API returns 429 Too Many Requests with a Retry-After header indicating when to retry.

Key Rotation

To rotate an API key:

  1. Generate a new key in the dashboard
  2. Update your applications to use the new key
  3. Verify the new key works
  4. Revoke the old key

Both the old and new keys remain valid until the old key is explicitly revoked. This allows zero-downtime key rotation.

Security Best Practices

  • Use environment variables -- Store keys in JUSTPAID_API_KEY env vars, never hardcode them
  • Rotate keys regularly -- Rotate at least every 90 days
  • Use least-privilege keys -- Create keys with only the scopes your application needs
  • Monitor usage -- Check the API dashboard for unusual request patterns
  • Revoke compromised keys immediately -- If a key is exposed, revoke it and generate a new one

Frequently Asked Questions

API Reference

Complete REST API documentation

Workflows API

Create, manage, and execute workflow definitions

On this page

API Key FormatUsing Your API KeyKey PermissionsRate LimitsKey RotationSecurity Best Practices