Authentication
Every request is authenticated with a fal key. Keys are long-lived, scoped per account, and revocable from the dashboard.
Getting a key
Create one at fal.ai/dashboard/keys. Keys start with the prefix fal_. You only see the full value at creation; if you lose it, make a new one.
Passing the key
Every request to the fal queue includes a header of the form Authorization: Key <your key>. The official SDKs pick this up from the FAL_KEY environment variable automatically.
Server proxy (default)
For anything shipped to a real domain, keep the key on the server and let the browser hit your own endpoint. The starter ships a proxy at /api/fal/proxy that adds the key header before forwarding to fal.
1# .env.local (Next.js, or any server env)2FAL_KEY=fal_... # never expose to the browser
Public key (prototype only)
Setting NEXT_PUBLIC_FAL_KEY makes the key available in the browser bundle. Only use this for local hacking. Rate-limit it on the fal dashboard before you ever check it in.
1# .env.local (prototype only; this key lands in the browser bundle)2NEXT_PUBLIC_FAL_KEY=fal_...
Security rules
- Never commit a key. Add
.env*to your gitignore. - Use one key per environment (dev, staging, prod). Rotate them independently.
- Rotate immediately if a key lands in a commit, a screenshot, or a log.
- Prefer the server proxy path for anything with public traffic.