Authentication
Verdifax authenticates API callers via a single header. Keys are provisioned out-of-band and shown to the operator exactly once.
Header
X-Verdifax-Key: vfx_<24-byte-random-hex>
Every authenticated endpoint accepts the same header. /health is public.
Two modes
Open mode, when no API keys exist in the database (a fresh deploy, before any key has been provisioned), every authenticated endpoint admits the caller as anonymous (api_key_id = 0). This keeps the docker quickstart trivial.
Locked mode, once any key exists, the API server enforces the header. Calls without a valid X-Verdifax-Key get 401. Run history is scoped to the key that produced it: /runs only returns runs owned by the calling key, and /runs/{id} 404s if the key didn't own that run.
Provisioning a key
curl -s -X POST http://localhost:9090/admin/keys \
-H "Content-Type: application/json" \
-d '{"name":"compliance-team-2026"}' | python3 -m json.tool
{
"ok": true,
"id": 1,
"name": "compliance-team-2026",
"secret": "vfx_a1b2c3d4...",
"hint": "Store this secret now, it will never be shown again."
}
The server stores only sha256(secret). Lose the secret and you must revoke + reissue.
Listing keys
curl -s http://localhost:9090/admin/keys \
-H "X-Verdifax-Key: vfx_..." | python3 -m json.tool
Returns names, creation timestamps, last-used timestamps, run counts, and revocation status, never the secrets.
Revoking a key
curl -s -X DELETE http://localhost:9090/admin/keys/1 \
-H "X-Verdifax-Key: vfx_..."
Revocation is immediate. Subsequent calls with that key get 401.
Rate limiting
Every authenticated endpoint is rate-limited at 100 requests/minute per key by default (configurable via --rate-limit). Anonymous callers in open mode are limited per remote address.