Connect FlutterFlow to RapidAPI using a FlutterFlow API Calls group with two mandatory headers: X-RapidAPI-Key and X-RapidAPI-Host. Subscribe to any API in the RapidAPI Hub, copy its endpoint host from the Endpoints tab, and route your secret key through a Firebase Cloud Function or Supabase Edge Function proxy — never store it in App State where it ships inside the compiled app.
| Fact | Value |
|---|---|
| Tool | RapidAPI |
| Category | DevOps & Tools |
| Method | FlutterFlow API Call |
| Difficulty | Intermediate |
| Time required | 30 minutes |
| Last updated | July 2026 |
One Key, Thousands of APIs — Inside Your FlutterFlow App
RapidAPI operates as a marketplace gateway: you subscribe to individual APIs (weather data, sports scores, translation engines, financial feeds, and thousands more), and every subscribed API accepts the same X-RapidAPI-Key. This unified credential model makes it fast to add new data sources to your app without juggling separate accounts or SDKs for each provider. For a FlutterFlow builder, RapidAPI is a practical shortcut to production-ready data that would otherwise require months of direct API negotiations.
The integration model is straightforward but has one firm rule: every RapidAPI request needs two specific headers. X-RapidAPI-Key is your credential, and X-RapidAPI-Host is the specific subdomain of the API you are calling (for example, weatherapi.p.rapidapi.com for a weather service). Omitting either one will return a 403 or blocked response even when your key is valid. RapidAPI's Endpoints tab on each API's page shows you exactly which host to use, and its Code Snippets panel generates ready-made cURL output that maps directly to FlutterFlow's header fields.
Because one leaked X-RapidAPI-Key exposes every API subscription you own, it must never be hardcoded inside the compiled Flutter app. FlutterFlow's App State and Dart Custom Actions both ship to the client device, where the key can be extracted with basic tools. The correct pattern is a lightweight backend proxy — a Firebase Cloud Function or Supabase Edge Function — that holds the key on the server, adds the two RapidAPI headers, and forwards requests from your app. Free tiers on both Firebase and Supabase handle thousands of calls per day comfortably for typical app traffic.
Integration method
You connect FlutterFlow to RapidAPI by creating an API Calls group for each subscribed API, using that API's RapidAPI host as the base URL and passing two required headers on every request: X-RapidAPI-Key (your unified marketplace key) and X-RapidAPI-Host (the specific API's subdomain). Because the X-RapidAPI-Key is a real secret that unlocks all your subscriptions, it must be injected by a server-side proxy rather than embedded in the compiled Flutter app. RapidAPI's Code Snippets panel gives you the exact headers and JSON response shape to copy into FlutterFlow's API Calls configuration.
Prerequisites
- A RapidAPI account (free to create at rapidapi.com) with at least one API subscription active
- The API's endpoint host and a Code Snippet (cURL) copied from its Endpoints tab on RapidAPI
- A FlutterFlow project (Starter plan or higher for API Calls)
- A Firebase project or Supabase project to host the proxy function that holds the secret key
- Basic familiarity with JSON so you can read the response structure and write JSON Paths
Step-by-step guide
Subscribe to a RapidAPI endpoint and copy the Code Snippet
Log in to rapidapi.com and use the search bar to find the API you want to connect — for example, a weather API, sports scores API, or translation engine. On the API's page, click the Subscribe button and choose a plan. Most APIs offer a free Basic or Freemium plan with a monthly quota of requests; note what that quota is now, because hitting it produces a 429 error that looks like a code bug. Once subscribed, navigate to the Endpoints tab and select any endpoint you plan to use. On the right side you will see a Code Snippets panel with a dropdown — choose cURL. The generated snippet contains everything FlutterFlow needs: the full endpoint URL broken into a base host and path, the two required headers (X-RapidAPI-Key and X-RapidAPI-Host), and any query parameters the endpoint accepts. Copy this snippet and paste it into a text editor so you can refer to the exact field names while setting up FlutterFlow. Also paste one of the API's sample JSON responses into a text editor — you will need the field paths (like data.location.name or current.temp_c) when you configure JSON Path parsing in FlutterFlow later.
Pro tip: RapidAPI shows a 'Test Endpoint' button that lets you run a live request in the browser and see the real JSON response — run it here to capture the exact response shape before going to FlutterFlow.
Expected result: You have a subscribed API, its cURL Code Snippet open in a text editor, and a sample JSON response showing the field structure you will parse.
Create an API Calls group in FlutterFlow for your RapidAPI endpoint
In your FlutterFlow project, click API Calls in the left navigation panel. Click the + Add button and choose Create API Group. Give the group a descriptive name that matches the API, such as WeatherAPI or SportsScores. Set the Base URL to the API's RapidAPI host — this is the https://{api-name}.p.rapidapi.com part of the URL in your cURL snippet. Each API on RapidAPI has a different host value; copying the wrong one will send your requests to the wrong service. Do not add any headers yet at the group level. Now add a call inside the group: click + Add API Call and name it after the specific endpoint, such as GetCurrentWeather. Set the HTTP Method to GET (or POST if the endpoint requires a body — check the Code Snippet). In the URL field enter the path portion only, for example /current.json, because the base URL is already set on the group. This split prevents you from duplicating the host on every call. Switch to the Headers tab of this API Call. Add two headers exactly as shown in the cURL snippet. The first header name must be X-RapidAPI-Key and its value will be a variable you define in the next step (use {{ rapidAPIKey }} as a placeholder for now). The second header name must be X-RapidAPI-Host and its value is the static host string from your snippet, for example weatherapi.p.rapidapi.com. This host value is not a secret — it is safe to enter it directly. Missing either header will return a 403 even when your key is valid.
1{2 "group_name": "WeatherAPI",3 "base_url": "https://weatherapi-com.p.rapidapi.com",4 "calls": [5 {6 "name": "GetCurrentWeather",7 "method": "GET",8 "path": "/current.json",9 "headers": {10 "X-RapidAPI-Key": "{{ rapidAPIKey }}",11 "X-RapidAPI-Host": "weatherapi-com.p.rapidapi.com"12 },13 "query_params": {14 "q": "{{ city }}"15 }16 }17 ]18}Pro tip: Each RapidAPI subscription has its own unique host value — do not reuse a host from another API subscription. The host is visible in the cURL snippet as the -H 'X-RapidAPI-Host: ...' line.
Expected result: The API Calls panel shows your group with one call inside it. The Headers tab lists X-RapidAPI-Key with a variable placeholder and X-RapidAPI-Host with the static host string.
Add query/path variables and parse the JSON response
Switch to the Variables tab of your API Call. Click + Add Variable for each parameter the endpoint accepts. For a weather API this is usually a city or location query parameter (q); for a sports API it might be a season or team ID. Set each variable's type (String, Integer) and whether it is required. Once you have added variables, go back to the URL field or the Query Parameters section and reference them with the {{ variableName }} syntax. For a query parameter, use the Query Params section rather than embedding it in the URL path — this is cleaner and FlutterFlow handles encoding automatically. Now click the Response & Test tab. Paste your sample JSON response into the Response Preview field and click Generate JSON Paths. FlutterFlow scans the JSON and suggests paths for each field it finds. Enable the paths you want to expose as response variables — for example, $.current.temp_c for current temperature and $.location.name for the resolved city name. Rename each to a friendly variable name (tempCelsius, locationName) that will appear in widget bindings. If the response is an array, paths like $.data[0].name or $.results[*].title give you list access. With variables and JSON Paths configured, click Test in the Response & Test tab. Enter real values for your variables (an actual city name, not a placeholder) and run the call. If you see real data populating the response variables, the call is correctly configured. A 403 here means the key or host header is wrong; a 429 means the free-tier quota is already exhausted for the month.
1// JSON Path examples for a weather API response2// Response: { "location": { "name": "London", "country": "UK" }, "current": { "temp_c": 14.0, "condition": { "text": "Partly cloudy" } } }34$.location.name // → "London"5$.location.country // → "UK"6$.current.temp_c // → 14.07$.current.condition.text // → "Partly cloudy"89// For an array response:10// Response: { "results": [ { "id": 1, "title": "Match A" } ] }11$.results[0].title // → first item title12$.results[*].title // → all titles as a listPro tip: If Generate JSON Paths produces no results, make sure you pasted valid JSON (no trailing commas, no comments). Use jsonlint.com to validate the response first.
Expected result: The Response & Test tab shows green check marks next to each JSON Path and the Test run populates real values from the live API.
Bind API data to FlutterFlow widgets
Now that your API Call is tested and returning data, wire it to the UI. For a single-item response (current weather, one user profile), select the widget you want to populate — for example, a Text widget showing the temperature. Open its Actions panel and click + Add Action. Choose Backend/API Calls, select your API Group, then your API Call. FlutterFlow shows a list of the response variables you defined with JSON Paths. Set each widget's text or image source to the corresponding response variable using the Set Variable action, or use the widget's inline data source picker to bind directly. For list responses (search results, sports fixtures), place a ListView or Column widget on the page. Set its data source to a backend query that fires your API Call with the appropriate variables, then map each item's fields to child widgets using the item index binding. If you pass user-entered values (city name, search term) as variables, connect the text field's value to the variable that drives the API Call query parameter. A search bar with a debounce Action that fires the API Call on text-changed works well here. For loading states, wrap the data-bound widget in a Conditional Widget that shows a CircularProgressIndicator while the backend query is in progress, and a user-friendly error message if the API Call returns a non-200 status. Check the conditional status using the API response's success/error state rather than hard-coding delays.
Pro tip: Use an Action Chain on a Button widget (trigger API Call → Set State → Navigate) for on-demand fetches, and a backend query on a Column/ListView for automatic loading when the page opens.
Expected result: The widget on the canvas shows the API variable bound (shown as a blue chip in the text field), and running the app in Test mode populates real data from RapidAPI.
Secure the X-RapidAPI-Key with a server-side proxy
The X-RapidAPI-Key unlocks every API subscription you own. If you place it in a FlutterFlow App Value, App State variable, or directly in the header field, it ships inside the compiled Flutter binary — any user with basic reverse-engineering tools can extract it, rotate it fraudulently, or exhaust your quota. The correct pattern for production apps is a thin server-side proxy that holds the key and adds both RapidAPI headers before forwarding the request. If your project uses Firebase: create a Firebase Cloud Function (Node.js). The function accepts the parameters your FlutterFlow app sends (city name, sport ID, etc.), adds the X-RapidAPI-Key and X-RapidAPI-Host headers from process.env, calls the RapidAPI endpoint, and returns the JSON response. Deploy it with firebase deploy --only functions. Store the key in Firebase environment config (firebase functions:config:set rapidapi.key=xxx) rather than in source code. If your project uses Supabase: create a Supabase Edge Function (Deno). The function reads the RapidAPI key from Deno.env.get('RAPID_API_KEY'), calls the endpoint, and returns the response. Set the secret in the Supabase Dashboard under Edge Functions > Secrets. Once the proxy is deployed, update your FlutterFlow API Calls group to point at your proxy URL instead of the RapidAPI host directly. The proxy URL is your Firebase function or Supabase Edge Function endpoint. Remove the X-RapidAPI-Key header from the FlutterFlow API Call — it is now handled server-side. You can keep X-RapidAPI-Host absent too since the proxy hard-codes the target. For extra security, add a simple secret header between your app and your proxy (a different token your app sends, validated on the proxy) to prevent unauthorized direct calls to your proxy endpoint.
1// Firebase Cloud Function proxy (index.js)2const functions = require('firebase-functions');3const axios = require('axios');45exports.rapidApiProxy = functions.https.onCall(async (data, context) => {6 const { endpoint, params } = data;78 // Allowlist endpoints to prevent abuse9 const allowedEndpoints = ['/current.json', '/forecast.json'];10 if (!allowedEndpoints.includes(endpoint)) {11 throw new functions.https.HttpsError('invalid-argument', 'Endpoint not allowed');12 }1314 const response = await axios.get(15 `https://weatherapi-com.p.rapidapi.com${endpoint}`,16 {17 headers: {18 'X-RapidAPI-Key': functions.config().rapidapi.key,19 'X-RapidAPI-Host': 'weatherapi-com.p.rapidapi.com'20 },21 params22 }23 );2425 return response.data;26});Pro tip: Restrict the Cloud/Edge Function to only the specific RapidAPI endpoints your app needs — this limits blast radius if someone calls your proxy endpoint directly.
Expected result: The Cloud/Edge Function is deployed and returns RapidAPI data when called from Postman or your FlutterFlow app. The X-RapidAPI-Key no longer appears anywhere in the Flutter source or network requests from the device.
Handle quotas, errors, and test on device
RapidAPI free-tier quotas vary by API — some allow 500 requests per month, others 10 per day. A quota hit returns HTTP 429 with a message like 'You have exceeded the rate limit per month for your plan, BASIC.' This looks identical to a rate-limit error from a code bug, so add explicit handling: in your FlutterFlow Action Flow, check the API Call's response code. If it equals 429, show a Snackbar or Dialog that tells the user 'API limit reached — please try again later' rather than showing a generic error or blank screen. For 403 responses, the most common cause is the missing X-RapidAPI-Host header. In the proxy flow, 403 can also mean the proxy function's environment variable is not set correctly. Log the RapidAPI error body ('message' field) in your Cloud Function to diagnose quickly. FlutterFlow's API Test tab runs on Rapid's servers and does not enforce CORS — so a request that passes in the Test tab can still fail in the web preview because browsers enforce CORS. For web builds, use the proxy pattern: your Cloud/Edge Function is the browser's origin-safe URL. For native iOS/Android builds, CORS is not enforced and the direct API Call header approach would work, but use the proxy anyway for key security. Before shipping to the App Store or Play Store, run a build on a physical device or the FlutterFlow Run mode (not canvas preview) to confirm real data loads. Custom Actions and API Calls that use variables from UI elements (text fields, dropdowns) must be tested in Run mode because the canvas only simulates static data.
Pro tip: If you'd rather skip setting up the Cloud Function proxy yourself, RapidDev's team builds FlutterFlow integrations like this every week — free scoping call at rapidevelopers.com/contact.
Expected result: The app shows a friendly message when the quota is hit (429), loads real RapidAPI data on a physical device or in Run mode, and the key is absent from all client-side code.
Common use cases
Real-time sports scores app for fantasy league managers
A FlutterFlow app that displays live scores, standings, and player stats by calling a sports data API on RapidAPI. The app subscribes to the API-Sports or API-Football endpoint, fetches match data on a timer, and renders results in a ListView. The RapidAPI key is stored in a Firebase Cloud Function so it never ships in the APK.
Build a screen that shows today's Premier League fixtures and live scores, refreshing every 60 seconds. Each match card should display home team, away team, current score, and match status.
Copy this prompt to try it in FlutterFlow
Language-learning app with real-time translation
A FlutterFlow mobile app that lets users type or paste text and instantly receive translations from a translation API on RapidAPI, such as Microsoft Translator or Deep Translate. Results are displayed in a card below the input field, with source and target language selectable from a dropdown. The proxy pattern keeps the key off the device.
Create a translation screen with a multi-line text input, a language-pair selector, and a Translate button. Display the translated result in a read-only card below and allow copying the result to clipboard.
Copy this prompt to try it in FlutterFlow
Weather dashboard widget inside a travel-planning app
A FlutterFlow screen that pulls 7-day forecast data from a weather API on RapidAPI (such as WeatherAPI.com) based on the user's selected destination city. The city name is passed as a query variable to the FlutterFlow API Call, the JSON response is parsed with JSON Paths for temperature and condition, and the data is bound to icon + text widgets.
Build a weather card that shows the 7-day forecast for a city entered by the user. Each day should show the date, weather icon name, high temperature, and low temperature.
Copy this prompt to try it in FlutterFlow
Troubleshooting
API returns 403 or 'You are not subscribed to this API' even with a valid key
Cause: The X-RapidAPI-Host header is missing or contains the wrong value. Every RapidAPI endpoint has a unique host subdomain, and the gateway rejects requests where the Host header does not match the subscribed API's host.
Solution: Open the API's Endpoints tab on RapidAPI and copy the exact X-RapidAPI-Host value from the Code Snippets cURL output. In FlutterFlow, go to your API Call's Headers tab and verify the header name is spelled exactly X-RapidAPI-Host (case-sensitive on some servers) and the value matches character-for-character. Also confirm you are subscribed to that specific API — a valid key does not grant access to unsubscribed APIs.
429 Too Many Requests after only a few test calls
Cause: The free-tier quota for that specific API is very low (some APIs cap at 10–50 requests per month on Basic) or the quota resets monthly rather than daily, and earlier tests already consumed it.
Solution: Go to the API's My Apps dashboard on RapidAPI to see remaining quota. If the quota is exhausted, wait for the monthly reset or upgrade to a paid tier. In FlutterFlow, add a conditional in your Action Flow that checks for a 429 response code and shows a user-friendly 'service temporarily unavailable' message rather than silently failing or showing empty data.
XMLHttpRequest error in web preview but the API Test tab passes
Cause: The RapidAPI endpoint blocks browser-origin requests (CORS is not enabled for browser clients). FlutterFlow's API Test tab runs server-side and does not enforce CORS, so it passes even when a real browser call would be blocked.
Solution: Use the Firebase Cloud Function or Supabase Edge Function proxy described in Step 5. The proxy is a server-to-server call that bypasses CORS restrictions. Update your FlutterFlow API Calls group base URL to point at your proxy endpoint. This also moves the key off the client, providing a double benefit.
Response variables are empty even though the Test tab shows data
Cause: JSON Paths are incorrectly written — they point to a nested field that does not match the actual response structure, or the response is wrapped in an extra data or result object that the path does not account for.
Solution: Go to the Response & Test tab, paste the actual JSON response (copy it from a successful RapidAPI Endpoint test in the browser), and click Generate JSON Paths to regenerate paths from the real structure. Look for wrapper keys — many APIs return { data: { items: [...] } } rather than a flat array. Write paths like $.data.items[*].name rather than $.items[*].name.
Best practices
- Always route the X-RapidAPI-Key through a Firebase Cloud Function or Supabase Edge Function — one leaked key exposes every API subscription you own.
- Create one API Calls group per subscribed API with that API's specific RapidAPI host as the base URL; mixing hosts in one group causes requests to route incorrectly.
- Always handle 429 responses explicitly in your Action Flow with a user-facing message, never let quota exhaustion show as a blank screen or generic error.
- Use RapidAPI's Code Snippets (cURL output) and Endpoint Test tab to verify the exact response shape before writing JSON Paths in FlutterFlow — this cuts configuration time significantly.
- Set the X-RapidAPI-Host header as a static string (not a variable) — it is not a secret and varies per API subscription, not per user, so parameterizing it adds complexity with no benefit.
- Test on a real device or FlutterFlow Run mode before publishing — the canvas preview cannot execute real API Calls with dynamic variables correctly.
- Monitor your quota from the RapidAPI dashboard regularly and set up email alerts if available on your plan so you know before your app starts returning 429 errors to users.
- Restrict your Cloud Function to an allowlist of specific RapidAPI endpoints your app actually uses, preventing misuse of your proxy if its URL is discovered.
Alternatives
Use Postman to prototype and debug your API requests before recreating them in FlutterFlow — it is a design-and-test companion, not a live runtime gateway like RapidAPI.
Use VS Code when you need to write and edit the Cloud Function proxy code that secures your RapidAPI key before deploying it alongside your FlutterFlow app.
Frequently asked questions
Do I need one X-RapidAPI-Key per API I subscribe to?
No. RapidAPI uses a single unified key for your account. The same X-RapidAPI-Key header value works for every API you subscribe to. What changes per API is the X-RapidAPI-Host header — each API has its own host subdomain. Both headers are required on every request.
Can I store the X-RapidAPI-Key in FlutterFlow's App Values or App State?
You should not. App Values and App State in FlutterFlow are compiled into the Flutter binary that ships to user devices. Anyone with reverse-engineering tools can extract the key from the APK or IPA. Store it in Firebase environment config or Supabase Edge Function secrets, and route calls through a server-side proxy instead.
Why does my API Call pass the FlutterFlow Test tab but fail in the web preview?
FlutterFlow's Test tab runs on Rapid's own servers, bypassing browser CORS policies. When your FlutterFlow web app runs in the browser, the browser enforces CORS and blocks requests to RapidAPI endpoints that do not include your origin. Use a Firebase Cloud Function or Supabase Edge Function proxy as your request origin — the browser calls your proxy, which calls RapidAPI server-to-server without CORS restrictions.
How do I use multiple RapidAPI subscriptions in the same FlutterFlow project?
Create a separate API Calls group for each subscribed API, each with its own base URL (the API's unique .p.rapidapi.com host) and the same X-RapidAPI-Key variable. Do not combine multiple APIs into one group — the host header is different for each, and mixing them causes request routing failures.
What happens when I hit the free-tier quota limit?
RapidAPI returns an HTTP 429 response with a message indicating your plan's limit is exceeded. The API simply stops responding until the quota resets (usually monthly). Handle this in FlutterFlow by checking the response status in your Action Flow and displaying a user-friendly message. To avoid user-facing errors, upgrade to a paid tier or implement caching in your proxy so repeated identical requests do not each count against your quota.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation