Authentication

All Flex Forward API endpoints require authentication via a Bearer token in the Authorization header.

Getting your API token

API access tokens are issued by the Flex Forward team during onboarding or account approval. Contact us at [email protected] to request development or production access.

Keep your API token secret. Do not share it in client-side code, public repositories, or insecure channels.

How access works

Flex Forward uses a managed onboarding model. API access is provisioned by the Flex Forward team to ensure your account is configured correctly for your shipping lanes and courier requirements.

Contact the Flex Forward team

Email [email protected] with your use case, expected shipping volume, and required shipping lanes.

Receive development access

The team provisions your development credentials and configures your shipper account for testing against courier sandbox services.

Test your integration

Build and validate your integration using the development environment. Verify label creation, document retrieval, and tracking.

Request production access

After successful testing, request production credentials. The team verifies readiness and provisions production access.

About shipperAccountId

The shipperAccountId is a UUID that identifies your configured shipper account (e.g., a1b2c3d4-e5f6-7890-abcd-ef1234567890). It is provisioned by the Flex Forward team during onboarding and linked to your courier and shipping lane configuration. A single API account may have multiple shipper account IDs for different courier setups.

Making authenticated requests

Include the token in the Authorization header of every request:

curl -X POST https://api.flexforward.com/labels \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "idempotencyKey": "ord-20250301-abc123",
    "courier": "yunexpress",
    "service": {
      "shipperAccountId": "your-account-id",
      "productCode": "YEXP01"
    },
    "shipment": { ... }
  }'

Error responses

If the token is missing or invalid, the API returns a 401 Unauthorized response:

{
  "error": "Unauthorized"
}

If the token is valid but the caller does not have access to the requested resource, the API returns a 403 Forbidden response:

{
  "error": "Forbidden"
}

Token best practices

Rotate tokens regularly
Use separate tokens for development and production environments
Store tokens in environment variables or a secrets manager — never hard-code them

Getting Started

Guides

Use-Case Guides

Platform

Authentication

Authentication

Getting your API token

How access works

About shipperAccountId

Making authenticated requests

Error responses

Token best practices

Getting Started

Guides

Use-Case Guides

Platform

​Authentication

​Getting your API token

​How access works

​About shipperAccountId

​Making authenticated requests

​Error responses

​Token best practices

Authentication

Getting your API token

How access works

About shipperAccountId

Making authenticated requests

Error responses

Token best practices