Authentication

Every request to cmfy.cloud requires an API key. This page explains the key format, how to include it in requests, and security best practices.

API Key Format

cmfy.cloud uses bearer token authentication with prefixed API keys:

sk_live_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijk012345

Prefix	Environment	Purpose
`sk_live_`	Production	Real jobs, billed to your account
`sk_test_`	Sandbox	Testing and development (coming soon)

Keys are 51 characters total: an 8-character prefix plus 43 characters of cryptographically random data.

Including Your API Key

Add your key to the Authorization header with the Bearer scheme:

curl https://api.cmfy.cloud/v1/jobs \
  -H "Authorization: Bearer sk_live_your_api_key_here"

Never Put Keys in URLs

Don't include API keys in query parameters. URLs are logged by web servers, proxies, and browsers. Always use the Authorization header.

Code Examples

Python

import requests

API_KEY = "sk_live_your_api_key"
HEADERS = {
    "Authorization": f"Bearer {API_KEY}",
    "Content-Type": "application/json"
}

response = requests.post(
    "https://api.cmfy.cloud/v1/jobs",
    headers=HEADERS,
    json={"prompt": {...}}
)

JavaScript/TypeScript

const API_KEY = "sk_live_your_api_key";

const response = await fetch("https://api.cmfy.cloud/v1/jobs", {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${API_KEY}`,
    "Content-Type": "application/json"
  },
  body: JSON.stringify({ prompt: {...} })
});

Node.js

const https = require("https");

const options = {
  hostname: "api.cmfy.cloud",
  path: "/v1/jobs",
  method: "POST",
  headers: {
    "Authorization": `Bearer ${process.env.CMFY_API_KEY}`,
    "Content-Type": "application/json"
  }
};

const req = https.request(options, (res) => {
  // Handle response
});

Managing API Keys

Creating Keys

Log in to the cmfy.cloud portal
Go to API Keys
Click Create New Key
Give it a descriptive name (e.g., "Production Server", "CI/CD Pipeline")
Copy the key immediately - it won't be shown again

Viewing Keys

The portal shows:

Key prefix (first 12 characters)
Name you assigned
Creation date
Last used timestamp
Current status

You cannot view the full key after creation - only the prefix for identification.

Revoking Keys

If a key is compromised:

Go to API Keys in the portal
Find the key by its prefix or name
Click Revoke
Confirm the action

Revoked keys immediately stop working. Any in-flight requests will fail.

Security Best Practices

Store Keys Securely

Do:

Use environment variables
Use a secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.)
Store in encrypted configuration files

Don't:

Commit keys to version control
Include in client-side code (browser JavaScript)
Share in chat or email
Log keys in application logs

Use Environment Variables

# .env file (add to .gitignore)
CMFY_API_KEY=sk_live_your_key_here

import os
api_key = os.environ.get("CMFY_API_KEY")

const apiKey = process.env.CMFY_API_KEY;

Rotate Keys Regularly

Even without a breach, periodic rotation limits exposure:

Create a new key
Update your application to use the new key
Deploy the change
Revoke the old key

Use Separate Keys Per Environment

Environment	Key Name	Permissions
Development	`dev-local`	Test key (when available)
Staging	`staging-server`	Production key, limited use
Production	`prod-primary`	Production key
CI/CD	`github-actions`	Production key

This makes it easy to identify which system is using which key and revoke specific keys if needed.

Monitor Usage

Check your portal dashboard for:

Unusual spikes in requests
Requests from unexpected IP addresses
Failed authentication attempts

Authentication Errors

HTTP Status	Error Code	Cause	Solution
401	`missing_auth`	No Authorization header	Add the `Authorization: Bearer <key>` header
401	`invalid_auth_format`	Wrong header format	Use `Bearer <key>`, not just the key
401	`invalid_api_key`	Key doesn't exist	Check for typos, verify key is correct
401	`revoked_api_key`	Key was revoked	Create a new key in the portal
403	`account_suspended`	Account issue	Contact support

Example error response:

{
  "error": {
    "code": "invalid_api_key",
    "message": "Invalid API key"
  }
}

Rate Limits by Key

Each API key has rate limits based on your account tier:

Tier	Requests/min	Concurrent Jobs	Queue Depth
Free	60	2	5
Pro	300	10	50
Enterprise	1000	50	500

Rate limit headers are included in every response:

X-RateLimit-Limit: 60
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1699574400

See Rate Limiting for more details.

What's Next?

First Workflow - Build and submit a complete workflow
Rate Limiting - Understand and work within limits
API Reference - Full endpoint documentation

Was this page helpful?

API Key Format​

Including Your API Key​

Code Examples​

Python​

JavaScript/TypeScript​

Node.js​

Managing API Keys​

Creating Keys​

Viewing Keys​

Revoking Keys​

Security Best Practices​

Store Keys Securely​

Use Environment Variables​

Rotate Keys Regularly​

Use Separate Keys Per Environment​

Monitor Usage​

Authentication Errors​

Rate Limits by Key​

What's Next?​