API Authentication

All API requests require authentication using API keys. Choose from three authentication methods: Basic Auth (recommended), Bearer token, or custom ApiKey header.

API Key Format

CronRadar API keys follow a structured format for easy identification and security:

ck_app_[appId]_[secret]

Example:

ck_app_12345_abcdef1234567890

Keep API keys secure:

API keys are hashed using SHA256 and cannot be retrieved
Store keys in environment variables, not in source code
Regenerate keys immediately if compromised
Each application has its own unique API key

Authentication Methods

1. Basic Auth (Recommended)

Use HTTP Basic Authentication with your API key as the username and an empty password. This is the simplest and most widely supported method.

curl -u ck_app_12345_abcdef: https://cron.life/ping/backup-job

2. Bearer Token

Use the API key as a Bearer token in the Authorization header.

curl -H "Authorization: Bearer ck_app_12345_abcdef" \
  https://cron.life/ping/backup-job

3. Custom ApiKey Header

Use a custom Authorization: ApiKey header.

curl -H "Authorization: ApiKey ck_app_12345_abcdef" \
  https://cron.life/ping/backup-job

This method is useful for clients that have limitations with Basic Auth or Bearer tokens.

Error Responses

401 Unauthorized

Returned when authentication fails (missing, invalid, or malformed API key).

{
  "error": "AUTHENTICATION_REQUIRED",
  "message": "API key authentication is required"
}

403 Forbidden

Returned when the API key is valid but doesn't have access to the requested resource.

{
  "error": "ACCESS_DENIED",
  "message": "API key does not have access to this resource"
}

429 Rate Limit Exceeded

Returned when the API rate limit is exceeded (1000 requests per minute).

{
  "error": "RATE_LIMIT_EXCEEDED",
  "message": "API rate limit exceeded",
  "retry_after": 45
}

Response includes Retry-After header with seconds to wait.

Security Best Practices

Environment Variables: Store API keys in environment variables, not in source code or version control.
HTTPS Only: Always use HTTPS endpoints. CronRadar will not accept API requests over HTTP.
Separate Keys: Use different API keys for development, staging, and production environments.
Rotate Regularly: Regenerate API keys periodically as part of security hygiene.
Monitor Usage: Check API usage in your dashboard to detect unauthorized access.
Revoke Compromised Keys: If an API key is exposed, regenerate it immediately from your dashboard.

Rate Limits

CronRadar enforces rate limits to ensure service reliability:

Endpoint Type	Rate Limit
Ping Endpoints (`/ping/*`)	1,000 requests per minute
Sync Endpoint (`/api/sync`)	10 requests per minute

If you need higher rate limits, contact support@cronradar.com.