API keys (chm_ Bearer)
Issue and use chm_ Bearer tokens for programmatic access to chmonitor — MCP clients, scripts, and CI pipelines.
The API key layer is provider-agnostic. It activates whenever CHM_API_KEY_SECRET is set, regardless of which auth provider is configured. This is how MCP clients, scripts, and CI pipelines authenticate.
- Keys are HMAC-SHA-256 signed and time-limited.
- A valid key satisfies the auth guard on any
/api/v1/*route. - The key layer coexists with any provider: a valid key always grants access, and if the key is absent or invalid the provider's check runs next.
Setup
Set the signing secret server-side:
CHM_API_KEY_SECRET=a-long-random-string-keep-this-secretKeep the secret server-side only
Never put CHM_API_KEY_SECRET in a VITE_* or NEXT_PUBLIC_* variable — these are inlined into the client bundle at build time. Set it as a server-side env var or Worker secret only.
Set this out-of-band in production. For Cloudflare Workers:
wrangler secret put CHM_API_KEY_SECRETIssue a token
Call the key-issuance endpoint. It uses its own secret-based auth (the same CHM_API_KEY_SECRET):
curl -X POST https://dash.example.com/api/v1/auth/api-key \
-H "Authorization: Bearer $CHM_API_KEY_SECRET"The response includes a chm_ token. Tokens are time-limited; re-issue before expiry.
Verify
Pass the token in the Authorization header on any /api/v1/* route:
curl https://dash.example.com/api/v1/hosts \
-H "Authorization: Bearer chm_eyJ..."curl https://dash.example.com/api/mcp \
-H "Authorization: Bearer chm_eyJ..." \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"tools/list","id":1}'