API ReferenceAuthentication

Authentication

ClawNex uses different authentication methods depending on the endpoint type and whether RBAC is enabled.

API Key Authentication (Public API)

Public API endpoints (/api/v1/*) use API key authentication regardless of the RBAC setting.

Key Format

cnx_<40 hex characters>

Example: cnx_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2

Keys are never stored in plaintext. On creation, the key is hashed with SHA-256 and only the hash is persisted. The plaintext key is returned exactly once at creation time.

Providing the Key

Primary format (recommended):

X-ClawNex-Key: cnx_YOUR_KEY_HERE

OpenAI-compatible format (required for chat completions):

Authorization: Bearer cnx_YOUR_KEY_HERE

Both formats are accepted on all endpoints. If both are present, X-ClawNex-Key takes precedence.

Available Scopes

ScopeGrants Access To
shield:scanPOST /api/v1/shield/scan
shield:readReserved for future shield statistics endpoints
agents:readGET /api/v1/agents
alerts:readGET /api/v1/alerts
audit:readGET /api/v1/audit
fleet:readGET /api/v1/fleet
chat:completionsPOST /api/v1/chat/completions

Assign only the scopes required for the integration (principle of least privilege).

Creating Keys

Via Dashboard:

  1. Navigate to Configuration > API Keys
  2. Click Create API Key
  3. Enter a name, select scopes, optionally set a custom rate limit (default: 60 req/min)
  4. Click Generate and copy the key immediately

Via API:

curl -X POST http://127.0.0.1:5001/api/config/api-keys \
  -H "Content-Type: application/json" \
  -d '{"name": "CI/CD Pipeline", "scopes": ["shield:scan", "alerts:read"]}'
⚠️

The plaintext key is shown exactly once at creation. Store it in a secrets manager immediately. If lost, revoke the key and generate a new one.

Session Authentication (Dashboard / Internal API)

When RBAC is enabled (RBAC_ENABLED=true), internal API endpoints (/api/*) require a valid session cookie (clawnex_session).

CSRF Protection

Mutation endpoints (POST, PUT, PATCH, DELETE) on internal routes require a CSRF token via the X-CSRF-Token header when RBAC is enabled.

Authentication Summary

Endpoint PatternAuth MethodRBAC Impact
/api/v1/* (public)API key (X-ClawNex-Key)None — works the same with or without RBAC
/api/* (internal, read)Session cookie (clawnex_session)Required when RBAC is enabled
/api/* (internal, write)Session cookie + CSRF tokenRequired when RBAC is enabled
MCP ServerMCP protocol (localhost CORS)Not affected

Key Rotation

  1. Create the new key before revoking the old one
  2. Update all integrations to use the new key
  3. Verify traffic is flowing with the new key (check last_used_at)
  4. Revoke the old key
  5. Rotate keys every 90 days or after any suspected compromise
OverviewPublic API (v1)