Skip to main content
Every request to the Podflare API requires an API key. You pass it once — either as an environment variable or directly in the SDK constructor — and the SDK attaches it to every request automatically. If you call the HTTP API directly, include it as a Bearer token in the Authorization header.

Get your API key

API keys have the format pk_.... You receive one when you sign up for Podflare access. Keep it secret — anyone with your key can create and run sandboxes under your account.

Pass your key to the SDK

from podflare import Sandbox

# Option 1: pass explicitly
sbx = Sandbox(api_key="pk_your_key_here")

# Option 2: set the environment variable (recommended)
# export PODFLARE_API_KEY=pk_your_key_here
sbx = Sandbox()  # picks up PODFLARE_API_KEY automatically

Set the environment variable

The recommended approach is to export PODFLARE_API_KEY in your shell or set it in your deployment environment. The SDK reads it automatically without any code change: 
export PODFLARE_API_KEY=pk_your_key_here
In a .env file (never commit this to version control): 
PODFLARE_API_KEY=pk_your_key_here

Using with the MCP server

If you run the Podflare MCP server (for Claude Desktop, Cursor, or Cline), pass your key in the server’s env block so it forwards on every sandbox request: 
{
  "mcpServers": {
    "podflare": {
      "command": "node",
      "args": ["/absolute/path/to/podflare/mcp/dist/index.js"],
      "env": {
        "PODFLARE_HOST": "https://api.podflare.dev",
        "PODFLARE_API_KEY": "pk_your_key_here"
      }
    }
  }
}

Understanding 401 errors

A 401 Unauthorized response means the API rejected your key. The response body tells you why:
Response bodyCauseFix
{"error": "missing Authorization: Bearer <key>"}No Authorization header was sentSet PODFLARE_API_KEY or pass api_key explicitly
{"error": "invalid api key"}Key was sent but not recognizedVerify you copied the full key correctly; request a new key if needed
Make sure you’re using the full key starting with pk_. Truncated or incorrectly copied keys cause invalid api key errors.

Request headers the SDK sends

The SDK attaches these headers to every request:
HeaderValuePurpose
AuthorizationBearer pk_...Authenticates your request
content-typeapplication/jsonDescribes the request body format
traceparent00-<trace>-<span>-<flags>Optional — links requests to your trace (see Observability)