Core API
Use this feature when you want to access Core API functionality directly instead of calling a Workflow through the API.
If you do not already have an OAuth access token, first follow Flowgear OAuth.
In the URLs below, replace tenantid with your tenant identifier. This is the tenant value you supply when signing in through app.flowgear.net.
Call the Core API with a Bearer Token
After obtaining an OAuth access token, include it in the Authorization header of the request:
Authorization: Bearer <access_token>
Example request:
curl "https://tenantid.flowgear.net/logs?startTime=2026-03-15T00:00:00Z" \
--header "Authorization: Bearer ACCESS_TOKEN_HERE"
This request requires the following scope:
fg:list:servicelog:global
Flowgear API Permission Scopes
Core API access uses Flowgear permission scopes. The format is:
fg:{verb}:{module}:{objectType}[:{objectKey}][:env:{environmentKey}]
Scope parts:
verb: the action you want to performmodule: the type of Core API resource you want to accessobjectType: the scope of access, such asglobal,sites, oraccountsobjectKey: required for site- or account-scoped resourcesenvironmentKey: required only for endpoints that enforce environment access
Important:
- Request only the scopes you need.
- The user behind the token must still have the matching Flowgear permissions.
- A scope by itself does not grant access.
Verbs
Currently, OAuth access supports these verbs:
read
Example:fg:read:workflow:sites:site-1:env:env-1list
Example:fg:list:workflow:sites:site-1
Modules
The module identifies the type of Core API resource you want to access. Common examples include:
site
Example:fg:read:site:sites:site-1:env:env-1workflow
Example:fg:read:workflow:sites:site-1:env:env-1connection
Example:fg:read:connection:sites:site-1:env:env-1environment
Example:fg:list:environment:sites:site-1droppoint
Example:fg:list:droppoint:sites:site-1workflowlog
Example:fg:list:workflowlog:sites:site-1servicelog
Example:fg:list:servicelog:global
Other log-related modules follow the same pattern:
fg:list:{logmodule}:globalfg:list:{logmodule}:sites:site-1
Object Types
The object type identifies the scope of access:
global
Example:fg:list:servicelog:globalsites
Example:fg:list:workflow:sites:site-1accounts
Example:fg:list:accountauditlog:accounts:account-1
Environment-specific Scopes
Some endpoints enforce environment access. Include the environment suffix only when the Site is configured to use environment-scoped permissions:
:env:{environmentKey}
Example:
fg:read:workflow:sites:site-1:env:env-1
Supported OAuth Access
OAuth bearer token access is intentionally limited.
Currently supported:
readandlistoperations only- modules for
site,workflow,connection,environment, anddroppoint - log modules such as
workflowlog,servicelog, and other*logpermission modules
Not all Core API endpoints support bearer-token access.
Common Endpoint Examples
Read platform logs
Request:
GET /logs?startTime=2026-03-15T00:00:00Z
Scope:
fg:list:servicelog:global
List workflows for a site
Request:
GET /sites/site-1/workflows
Scope:
fg:list:workflow:sites:site-1
Read a workflow in an environment
Request:
GET /sites/site-1/workflows/workflow-1?environmentKey=env-1
Scope:
fg:read:workflow:sites:site-1:env:env-1
Read a connection in an environment
Request:
GET /sites/site-1/connections/connection-1?environmentKey=env-1&runtimeVersion=2
Scope:
fg:read:connection:sites:site-1:env:env-1
List workflow logs for a site
Request:
GET /sites/site-1/logs?mode=list&dateFrom=2026-03-15T00:00:00Z&dateTo=2026-03-16T00:00:00Z
Scope:
fg:list:workflowlog:sites:site-1
Troubleshooting
401 Unauthorized
Common causes:
- the bearer token is invalid or expired
- the token does not contain the exact required
fg:...scope - the signed-in user does not have the matching Flowgear permission
- the token was issued for a different tenant
403 Forbidden
Common causes:
- no bearer token was sent
- the endpoint requires a verb other than
readorlist - the endpoint belongs to a module that is not enabled for bearer-token access