Authentication

API keys (recommended for servers)

Cloud API uses Clerk API keys. Create one in Dashboard → API keys; the secret is returned once. Send it as a bearer token:

bash
curl https://api.cloud.enzonic.com/v1/servers \
  -H "Authorization: Bearer ak_live_xxx"

Keys are scoped to your account. Revoking a key immediately stops any client using it. Keys can optionally expire — pass expiresInDays when creating one.

Session tokens (the dashboard)

The web dashboard authenticates with your Clerk session token, which the backend verifies the same way. You normally won't handle these directly.

Managing keys via the API

ts
// list
const { keys } = await cloud.keys.list();

// create (returns the secret once)
const { secret } = await cloud.keys.create("ci-pipeline", { expiresInDays: 90 });

// revoke
await cloud.keys.revoke(keys[0].id);

Tenant isolation

Your credentials only ever reach your own servers. A server belonging to another account is indistinguishable from one that doesn't exist — both return 404 (never 403).

• You always reference a server by Cloud API's own id; the underlying panel id is taken from your owned record, never from request input.
• Deploys are always attributed to the authenticated account — you can't create a server on someone else's behalf.
• On deploy, only an egg's declared, editable variables and its configured docker images are accepted; locked variables fall back to their defaults.
• Admin endpoints require an account whose email is on the platform admin list.

Security notes

• Treat secrets like passwords. Store them in environment variables or a secret manager.
• Use one key per app or environment so you can revoke narrowly.
• All traffic must be over HTTPS; tokens sent over plain HTTP are rejected by the edge.

Missing or invalid credentials return 401 unauthorized. See Errors.