chmonitor
Authentication

API keys (chm_ Bearer)

Issue and use chm_ Bearer tokens for programmatic access to chmonitor — MCP clients, scripts, and CI pipelines.

The API key layer is provider-agnostic. It activates whenever CHM_API_KEY_SECRET is set, regardless of which auth provider is configured. This is how MCP clients, scripts, and CI pipelines authenticate.

  • Keys are HMAC-SHA-256 signed and time-limited.
  • A valid key satisfies the auth guard on any /api/v1/* route.
  • The key layer coexists with any provider: a valid key always grants access, and if the key is absent or invalid the provider's check runs next.

Setup

Set the signing secret server-side:

CHM_API_KEY_SECRET=a-long-random-string-keep-this-secret

Keep the secret server-side only

Never put CHM_API_KEY_SECRET in a VITE_* or NEXT_PUBLIC_* variable — these are inlined into the client bundle at build time. Set it as a server-side env var or Worker secret only.

Set this out-of-band in production. For Cloudflare Workers:

wrangler secret put CHM_API_KEY_SECRET

Issue a token

Call the key-issuance endpoint. It uses its own secret-based auth (the same CHM_API_KEY_SECRET):

curl -X POST https://dash.example.com/api/v1/auth/api-key \
  -H "Authorization: Bearer $CHM_API_KEY_SECRET"

The response includes a chm_ token. Tokens are time-limited; re-issue before expiry.

Verify

Pass the token in the Authorization header on any /api/v1/* route:

curl https://dash.example.com/api/v1/hosts \
  -H "Authorization: Bearer chm_eyJ..."
curl https://dash.example.com/api/mcp \
  -H "Authorization: Bearer chm_eyJ..." \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"tools/list","id":1}'

Troubleshooting

On this page