Credentials

cmfy.cloud lets you store credentials securely and link them to your API keys. This enables access to:

• Gated models on Hugging Face that require authentication
• Private models in your own S3 buckets or Azure Blob Storage
• Custom model registries with HTTP authentication

How It Works

1. Create a credential in the portal for each service you need to access
2. Link the credential to one or more API keys
3. Submit jobs - credentials are automatically applied based on URL patterns

When you submit a job, cmfy.cloud matches model URLs in your workflow against your credentials' URL patterns. Matching credentials are securely decrypted and used to authenticate model downloads.

Supported Providers

Hugging Face

Access gated models like Flux, Llama, and other restricted models on Hugging Face Hub.

Required fields:

• token - Your Hugging Face access token

Default URL patterns:

• huggingface.co/*
• *.hf.co/*

Getting your token:

1. Go to huggingface.co/settings/tokens
2. Create a new token with read access
3. For gated models, ensure you've accepted the model's license on its page

Gated Model Access

Before using a gated model, you must accept its license on Hugging Face. Visit the model page (e.g., huggingface.co/black-forest-labs/FLUX.1-dev) and click "Agree and access repository".

Amazon S3

Access models stored in your own S3 buckets or S3-compatible storage.

Required fields:

• accessKeyId - Your AWS access key ID
• secretAccessKey - Your AWS secret access key

Optional fields:

• region - AWS region (e.g., us-east-1)
• endpoint - Custom endpoint for S3-compatible storage (e.g., MinIO, Backblaze B2)

URL patterns: Configure custom patterns matching your bucket URLs, e.g.:

• my-models.s3.us-east-1.amazonaws.com/*
• s3.us-west-2.amazonaws.com/my-company-models/*

IAM Best Practices

Create a dedicated IAM user with read-only access to your model buckets. Never use root credentials or overly-permissive policies.

Example minimal policy:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["s3:GetObject"],
    "Resource": "arn:aws:s3:::my-models/*"
  }]
}

Azure Blob Storage

Access models stored in Azure Blob Storage using SAS tokens.

Required fields:

• sasToken - Shared Access Signature token with read permissions

Default URL patterns:

• *.blob.core.windows.net/*

Getting a SAS token:

1. Go to your storage account in Azure Portal
2. Navigate to Shared access signature under Security + networking
3. Configure:
   • Allowed services: Blob
   • Allowed resource types: Object
   • Allowed permissions: Read
   • Expiry: Set an appropriate expiration
4. Generate and copy the SAS token

HTTP Bearer Token

Generic bearer token authentication for custom model registries.

Required fields:

• token - The bearer token value

URL patterns: You must configure custom patterns matching your registry URLs.

Example use cases:

• Private Docker registries serving model files
• Custom model APIs with token auth
• Self-hosted model repositories

HTTP Basic Auth

Username/password authentication for model endpoints.

Required fields:

• username - The username
• password - The password

URL patterns: You must configure custom patterns matching your server URLs.

HTTP API Key

Custom header authentication for APIs that use API keys.

Required fields:

• headerName - The header name (e.g., X-API-Key, Authorization)
• headerValue - The header value

URL patterns: You must configure custom patterns matching your API URLs.

Managing Credentials

Creating a Credential

1. Go to the Portal Dashboard
2. Navigate to Credentials
3. Click Add Credential
4. Select the provider type
5. Enter a descriptive name (e.g., "HuggingFace - Production")
6. Fill in the required fields
7. Click Create

The credential is validated immediately - if validation fails, you'll see an error with details.

Linking to API Keys

Credentials must be linked to API keys to take effect:

1. Select a credential from your list
2. Click Manage API Keys
3. Select which API keys should use this credential
4. Save changes

You can link one credential to multiple API keys, but each credential-to-key link is explicit.

URL Pattern Matching

Some providers have default URL patterns. You can also add custom patterns:

Pattern syntax:

• * matches any characters within a path segment
• Patterns match the full URL (scheme + host + path)
• More specific patterns take priority

Examples:

huggingface.co/*                    # All HuggingFace URLs
huggingface.co/my-org/*             # Only your organization
my-bucket.s3.us-east-1.amazonaws.com/models/*  # Specific bucket path
models.internal.company.com/*       # Custom internal registry

Validation

Credentials are validated when created and can be re-validated anytime:

Status	Meaning
Valid	Credential works and is ready to use
Invalid	Credential failed validation (wrong token, expired, etc.)
Pending	Validation in progress
Expired	Credential has expired (for time-limited tokens)

Only credentials with valid status are used for job requests.

Revoking Credentials

To revoke a credential:

1. Select the credential
2. Click Revoke
3. Confirm the action

Revoked credentials are immediately disabled and cannot be used for new jobs. Jobs already in progress will complete with any already-resolved credentials.

Security

Encryption

All credentials are encrypted at rest using envelope encryption:

• Each credential has a unique Data Encryption Key (DEK)
• DEKs are encrypted with a Key Encryption Key (KEK)
• Only the minimal required fields are decrypted during job execution

Audit Logging

All credential operations are logged:

• Creation, updates, and revocation
• Linking/unlinking from API keys
• Usage in job requests (credential ID only, never values)

Best Practices

1. Use separate credentials per environment - Don't share production credentials with development
2. Rotate regularly - Update tokens periodically, especially after team changes
3. Minimal permissions - Only grant the access level needed (read-only for models)
4. Monitor usage - Review audit logs for unexpected credential usage
5. Revoke promptly - Remove credentials immediately when no longer needed

Troubleshooting

"No credential matched URL"

The model URL doesn't match any credential patterns linked to your API key.

Solutions:

1. Verify you have a credential for this provider
2. Check the credential is linked to the API key you're using
3. Add a custom URL pattern if the default patterns don't match

"Credential validation failed"

The credential couldn't authenticate with the provider.

Common causes:

• Token expired or revoked
• Wrong credentials entered
• Insufficient permissions (e.g., gated model license not accepted)
• Network issues during validation

Solutions:

1. Re-validate the credential to see the specific error
2. Generate a new token from the provider
3. For HuggingFace gated models, accept the license first

"Model download failed: 401 Unauthorized"

The credential was matched but authentication failed during download.

Common causes:

• Token expired since last validation
• Model moved or permissions changed
• Rate limiting by the provider

Solutions:

1. Re-validate the credential
2. Check the model is still accessible with your token
3. Wait and retry for rate limiting

What's Next?

• Model URLs - Supported model hosting providers and URL formats
• Performance Best Practices - Optimize your workflows
• Error Handling - Handle job failures gracefully