CF
Start

Core Concepts

Authentication

Use developer API keys for content reads and user sessions for account-level key management.

Overview

Most content reads are authenticated with an API key. Account actions, such as creating or revoking keys, require a user login session.

API key auth

Used by courses and videos methods in every official client.

User auth

Used by key management methods and CLI key management commands.

Developer API keys

API keys follow the format chf_publicId_secret. The public identifier lets the backend find the stored hash, while the secret portion is verified without saving the raw key.

Language example

Authenticate content requests

Courses and videos use a developer API key in the Authorization bearer token.

JavaScript / TypeScript

chefu-academy-sdk - npm

Initialize once in server-side code and reuse the SDK instance.

server.ts
import CheFuAcademy from 'chefu-academy-sdk';

const sdk = new CheFuAcademy({
  apiKey: process.env.CHEFU_API_KEY,
  timeout: 10000,
});

Use server-side environment variables

Keep CHEFU_API_KEY in your server, deployment secrets, or local .env file. Do not prefix it with NEXT_PUBLIC_ in Next.js apps.

User sessions

Login and registration are available from the CLI and SDK clients. The CLI stores a local session for key management commands.

Node / npm
npx --package chefu-academy-sdk chefu-academy auth
npx --package chefu-academy-sdk chefu-academy login
npx --package chefu-academy-sdk chefu-academy whoami
npx --package chefu-academy-sdk chefu-academy logout
Python / PyPI
pipx install chefu-academy
chefu-academy auth
chefu-academy login
chefu-academy whoami
chefu-academy logout
Language example

Manage keys with a user session

Account-level key management uses a user auth token returned by login, not the developer API key.

JavaScript / TypeScript

chefu-academy-sdk - npm

keys.ts
const session = await sdk.auth.login(email, password);

const created = await sdk.keys.create({
  name: 'Production API',
});

const keys = await sdk.keys.list();
await sdk.keys.revoke(keys[0].id);

Direct API calls

If you are not using an SDK, pass your API key in the Authorization header as a bearer token.

Authorization
Authorization: Bearer chf_publicId_secret

Security checklist

  • Use different keys for development and production.
  • Revoke keys immediately when a teammate leaves a project.
  • Never commit keys to GitHub or paste them in public logs.
  • Rotate keys after suspected exposure.
  • Use the CLI or dashboard to list and revoke keys.