Caveat - I don't use Flow myself but have been through the same login confusion. The API key is the only bit of info you would supply when accessing the API. This corresponds to the "username". You don't need your supply your email. There is no password.
Looking at your screenshot, you have labelled optional http header fields (with key A and value B), plus a username C and password D.
I would ignore A and B for the moment.
As per the Companies House authorisation documentation which states:
Basic authentication is usually made up of a username and password pair; the Companies House API takes the username as the API key and ignores the password, so can be left blank.
So in your case:
1. Choose Basic authentication (as you've done in your screenshot).
2. In Username (your label C) enter your companies house API key.
3. The password (your label D) should be blank (nothing - not a space).
If this works, you're done. If you still get 400 errors there's some other issue.
If Flow requires you to enter a password (which I suspect this from the * by the password field in your screenshot) you've got a couple of options:
Option 1) Manually construct and send an Authorization header field:
You'll send the API key using an HTTP header. What you're actually sending will look like:
Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
I don't know if Flow will handle authentication by adding a header like this but here's what I'd try:
a) Remove the Authentication part from your request (fields C and D, and presumably Authentication would be "None", blank or somesuch).
b) Encode your API key as london says above:
c) Say the last step gave you "QWxhZGRpbjpPcGVuU2VzYW1l". In the Headers part of your screenshot (A and B) you enter "Authorization" as the key (A) and "Basic QWxhZGRpbjpPcGVuU2VzYW1l" as the value (B) - obviously you don't enter the quote marks in the fields.
Option 2) (Not recommended for security but would test your API key) you can forgo all the Authentication part of your form, and just add your API key to the URL - so if you had API key "someAPIKey" then in your example you'd request GET with the URI:
Again you'll see that there's nothing where the password would normally go (after colon) as CH doesn't use one.
More info at: