Legal & Compliance
API Documentation
Integrate ON AIR FLOW LLC's curated instrumental music directly into your applications, POS systems, or internal dashboards.
Authentication
The ON AIR FLOW LLC API uses API keys to authenticate requests. You can view and manage your API keys in the Admin Dashboard.
Your API keys carry many privileges, so be sure to keep them secure! Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.
Methods
Pass your key in the X-API-Key header.
Append ?api_key=pk_... to the URL.
Endpoints
Retrieve a list of all available curated playlists matching your subscription level.
{
"success": true,
"data": [
{
"id": "pl_focus_01",
"name": "Deep Focus",
"category": "focus",
"duration": 7200
},
{
"id": "pl_creative_02",
"name": "Design Sprint",
"category": "creative",
"duration": 14400
}
]
}Initiate a secure streaming session for a specific playlist. Returns a temporary streaming URL valid for 24 hours.
{
"playlist_id": "pl_focus_01",
"device_id": "pos_terminal_main"
}{
"success": true,
"stream_url": "https://api.onairflow.store/stream/temp_abc123.m3u8",
"expires_in": 86400
}Check the operational status of the ON AIR FLOW LLC API and your current rate limit quotas.
Code Examples
curl -X GET "https://api.onairflow.store/api/v1/list_playlists" \
-H "X-API-Key: YOUR_API_KEY"Full SDK client libraries for Node.js and Python are available to enterprise customers upon request.
Licensing & Legal
Integrating our API into your POS systems or internal apps provides full legal cover under our straightforward commercial licensing model.
All tracks streamed via the API are owned entirely by ON AIR FLOW LLC. We bear all copyright responsibility.
Your active API subscription is your license. Zero reporting to ASCAP, BMI, SACEM, or other rights organizations.
Want to review permitted uses and limitations? Read our complete Licensing & Legal page →
Security Best Practices
Never commit API keys to your repository. Use environment variables (e.g., .env) and proper secrets managers like AWS Secrets Manager or HashiCorp Vault.
We recommend rotating your API keys every 90 days. You can generate new keys in your Admin Dashboard before revoking the old ones to ensure zero downtime.
Our API limits standard clients to 100 requests per minute to prevent abuse. Rate limit status is returned in the X-RateLimit-* headers.
Enterprise users can restrict API key usage to specific static IP addresses for enhanced security. Contact support to configure this feature.
FAQ
API keys are provisioned by your system administrator. If you are an admin, navigate to the Admin Panel > API Clients Management and click "Generate New API Key".
Yes, you may cache the playlist metadata (name, duration) for up to 24 hours. However, the temporary streaming URLs generated by the /play endpoint expire and cannot be cached long-term.