Authentication

Two ways to authenticate: JWT tokens for apps, API keys for developers.

JWT Tokens

When users sign in through Conflux Home, the app automatically handles authentication. The Supabase JWT is sent as a Bearer token.

bash
1
2
3
4
5
6
# Conflux Home handles this automatically
# For reference, the JWT flow:
"docs-token-command">curl https://theconflux.com/v1/chat/completions \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
  -H "Content-Type: application/json" \
  -d '{"model": "gpt-4o-mini", "messages": [...]}'

If you're building with Conflux Home, you don't need to manage API keys. The app handles it.

API Keys

For direct API access, generate a key from your dashboard or the /v1/keys/generate endpoint.

bash
1
2
3
4
5
# API keys start with cf_live_ (production) or cf_test_ (sandbox)
"docs-token-command">curl https://theconflux.com/v1/chat/completions \
  -H "Authorization: Bearer cf_live_x7k9m2p4q8r1s5t6" \
  -H "Content-Type: application/json" \
  -d '{"model": "gpt-4o-mini", "messages": [...]}'

Security

  • Never expose API keys in client-side code
  • Use environment variables: CONFLUX_API_KEY
  • Rotate keys regularly via /v1/keys/revoke
  • Use cf_test_ keys for development
  • Set expiration dates on keys for temporary access

Auth Errors

401 Unauthorized

json
1
2
3
4
{
  "error": "Unauthorized",
  "message": "Invalid or missing API key"
}

402 Payment Required

json
1
2
3
4
5
6
{
  "error": "Insufficient credits",
  "message": "Need ~5 credits, have 0",
  "balance": "docs-token-number">0,
  "estimated_cost": "docs-token-number">5
}