Skip to main content

Authentication

The Cura’s AI Model API uses API key authentication to secure all requests. You must include your API key with every request to access the API endpoints.

Setup

Server Configuration

Set an environment variable on your Cura server: 
CURA_API_KEY=your_secret_api_key_here
Keep your API key secure and never expose it in client-side code or public repositories.

Client Authentication

Include your API key in every request using one of these methods: Include the API key in the request headers: 
X-API-Key: YOUR_API_KEY

Example with cURL

curl -X POST "https://app.mycura.org/api/cura/chat" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: YOUR_API_KEY" \
  -d '{"message": "Hello"}'

Example with Node.js

const response = await fetch('https://app.mycura.org/api/cura/chat', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-API-Key': 'YOUR_API_KEY'
  },
  body: JSON.stringify({
    message: 'Hello'
  })
});

Example with Python

import requests

headers = {
    'Content-Type': 'application/json',
    'X-API-Key': 'YOUR_API_KEY'
}

response = requests.post(
    'https://app.mycura.org/api/cura/chat',
    headers=headers,
    json={'message': 'Hello'}
)

Query Parameter Authentication

Alternatively, you can pass the API key as a query parameter: 
?api_key=YOUR_API_KEY

Example with cURL

curl -X POST "https://app.mycura.org/api/cura/chat?api_key=YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"message": "Hello"}'
Header authentication is preferred over query parameters for better security, as query parameters may be logged in server access logs.

Error Responses

Missing or Invalid API Key

If no API key is provided or an invalid key is used: 
{
  "error": "Unauthorized - Invalid API key"
}
The API returns HTTP status code 401 Unauthorized for authentication failures.

Best Practices

  • Store API keys securely using environment variables
  • Never commit API keys to version control
  • Use different API keys for different environments (dev, staging, production)
  • Rotate API keys regularly
  • Use header authentication when possible
  • Implement proper error handling for authentication failures
  • Cache authentication tokens appropriately
  • Use HTTPS for all API requests