API Keys
Manage authentication access with Publishable and Secret keys.
What are API Keys?
API keys authenticate your application when making requests to Cencori. Each key is tied to a specific project and can be configured for different use cases.
Key Types
Cencori offers two types of API keys for different security requirements:
Secret Keys
Format: csk_... or csk_test_...
- For server-side use only
- Full access to all features (including admin functions)
- Never expose in browser or client code
- Use in Node.js, Python, or server routes
Publishable Keys
Format: cpk_... or cpk_test_...
- Safe for browser and client-side use
- Requires domain whitelisting
- Only works from allowed domains
- Use for web apps, mobile apps, SPAs
[!NOTE] Legacy Keys Format:
cen_...orcen_test_...Existing keys created before key types are fully functional are treated as secret keys. No migration required.
Managing Keys
You can manage keys in the Settings > API tab of your project dashboard.
Creating API Keys
- Go to your project settings.
- Navigate to the "API" tab.
- Click "New secret key" or "New publishable key".
- Enter a name for the key (e.g., "Production Web App", "Backend Server").
- For publishable keys: add allowed domains (e.g.,
localhost,*.myapp.com). - Copy the key immediately - it won't be shown again!
[!IMPORTANT] API keys are only displayed once. Store them securely in environment variables.
Revoking a Key
If a key is compromised or no longer needed, you can revoke it immediately:
- Find the key in the list.
- Click the Context Menu (...).
- Select Revoke key.
- The key will stop working immediately and requests using it will fail with
401 Unauthorized.
Using API Keys
Server-Side (Secret Key)
// app.ts
import { Cencori } from 'cencori';
const cencori = new Cencori({
apiKey: process.env.CENCORI_API_KEY, // csk_xxx
});
const response = await cencori.ai.chat({
model: 'gpt-4o',
messages: [{ role: 'user', content: 'Hello!' }],
});Browser (Publishable Key)
// browser.ts
import { Cencori } from 'cencori';
// Safe to use in browser - only works from allowed domains
const cencori = new Cencori({
apiKey: process.env.NEXT_PUBLIC_CENCORI_PUBLISHABLE_KEY, // cpk_xxx
});
const response = await cencori.ai.chat({
model: 'gpt-4o',
messages: [{ role: 'user', content: 'Hello!' }],
});REST API
curl -X POST https://cencori.com/api/ai/chat \
-H "Content-Type: application/json" \
-H "CENCORI_API_KEY: csk_xxx" \
-d '{
"model": "gpt-4o",
"messages": [{"role": "user", "content": "Hello!"}]
}'Domain Whitelisting
Publishable keys require domain whitelisting for security. Requests from non-whitelisted domains return 403 Forbidden.
Supported Patterns
localhost: Local development on any port.myapp.com: Exact domain match.*.myapp.com: All subdomains (e.g.,app.myapp.com,staging.myapp.com).
Security Best Practices
Do
- Use secret keys for server-side code
- Use publishable keys with domain restrictions for browsers
- Store secrets in environment variables
- Use different keys for development and production
- Rotate keys regularly (every 90 days)
- Revoke unused or compromised keys immediately
Don't
- Expose secret keys (
csk_) in client code - Commit keys to version control (git)
- Share keys between environments
- Hard-code keys in your application
Environment Variables
# .env (Node.js)
# Server-side (secret key)
CENCORI_API_KEY=csk_xxx
# Test environment
CENCORI_TEST_API_KEY=csk_test_xxx
# Browser (publishable key - can be public)
NEXT_PUBLIC_CENCORI_PUBLISHABLE_KEY=cpk_xxxKey Rotation
- Generate a new API key
- Update your environment variables
- Deploy the updated configuration
- Verify the new key works
- Revoke the old key

