What are API Keys?

API keys authenticate your application when making requests to Cencori. Each key is tied to a specific project and can be configured for different use cases.

Key Types

Cencori offers two types of API keys for different security requirements:

Secret Keys

Format: csk_... or csk_test_...

For server-side use only
Full access to all features (including admin functions)
Never expose in browser or client code
Use in Node.js, Python, or server routes

Publishable Keys

Format: cpk_... or cpk_test_...

Safe for browser and client-side use
Requires domain whitelisting
Only works from allowed domains
Use for web apps, mobile apps, SPAs

[!NOTE] Legacy Keys Format: cen_... or cen_test_... Existing keys created before key types are fully functional are treated as secret keys. No migration required.

Managing Keys

You can manage keys in the Settings > API tab of your project dashboard.

Creating API Keys

Go to your project settings.
Navigate to the "API" tab.
Click "New secret key" or "New publishable key".
Enter a name for the key (e.g., "Production Web App", "Backend Server").
For publishable keys: add allowed domains (e.g., localhost, *.myapp.com).
Copy the key immediately - it won't be shown again!

[!IMPORTANT] API keys are only displayed once. Store them securely in environment variables.

Revoking a Key

If a key is compromised or no longer needed, you can revoke it immediately:

Find the key in the list.
Click the Context Menu (...).
Select Revoke key.
The key will stop working immediately and requests using it will fail with 401 Unauthorized.

Using API Keys

Server-Side (Secret Key)

Codetext

// app.ts
import { Cencori } from 'cencori';
 
const cencori = new Cencori({
  apiKey: process.env.CENCORI_API_KEY, // csk_xxx
});
 
const response = await cencori.ai.chat({
  model: 'gpt-4o',
  messages: [{ role: 'user', content: 'Hello!' }],
});

Browser (Publishable Key)

Codetext

// browser.ts
import { Cencori } from 'cencori';
 
// Safe to use in browser - only works from allowed domains
const cencori = new Cencori({
  apiKey: process.env.NEXT_PUBLIC_CENCORI_PUBLISHABLE_KEY, // cpk_xxx
});
 
const response = await cencori.ai.chat({
  model: 'gpt-4o',
  messages: [{ role: 'user', content: 'Hello!' }],
});

REST API

Codetext

curl -X POST https://cencori.com/api/ai/chat \
  -H "Content-Type: application/json" \
  -H "CENCORI_API_KEY: csk_xxx" \
  -d '{
    "model": "gpt-4o",
    "messages": [{"role": "user", "content": "Hello!"}]
  }'

Domain Whitelisting

Publishable keys require domain whitelisting for security. Requests from non-whitelisted domains return 403 Forbidden.

Supported Patterns

localhost: Local development on any port.
myapp.com: Exact domain match.
*.myapp.com: All subdomains (e.g., app.myapp.com, staging.myapp.com).

Security Best Practices

Do

Use secret keys for server-side code
Use publishable keys with domain restrictions for browsers
Store secrets in environment variables
Use different keys for development and production
Rotate keys regularly (every 90 days)
Revoke unused or compromised keys immediately

Don't

Expose secret keys (csk_) in client code
Commit keys to version control (git)
Share keys between environments
Hard-code keys in your application

Environment Variables

Codetext

# .env (Node.js)
# Server-side (secret key)
CENCORI_API_KEY=csk_xxx
 
# Test environment
CENCORI_TEST_API_KEY=csk_test_xxx
 
# Browser (publishable key - can be public)
NEXT_PUBLIC_CENCORI_PUBLISHABLE_KEY=cpk_xxx

Key Rotation

Generate a new API key
Update your environment variables
Deploy the updated configuration
Verify the new key works
Revoke the old key