ScalixScalix Docs

Authentication

API keys, personal access tokens, and app authentication

Overview

Scalix Cloud uses a unified IAM system for authentication and authorization. Every request to the API requires a valid token.

API Keys

API keys are the simplest way to authenticate. Create one from the dashboard.

Use it in requests:

bash
curl -H "Authorization: Bearer scalix_sk_your_key_here" \
  https://api.scalix.world/v1/functions

Scopes

API keys support fine-grained scopes:

ScopeDescription
database:queryRun SQL queries against your database
database:branchCreate and manage database branches
database:adminFull database administration
compute:deployDeploy container workloads
compute:scaleScale deployments and services
compute:logsRead deployment logs
storage:readRead objects from storage
storage:writeUpload and delete storage objects
functions:deployDeploy serverless functions
functions:invokeExecute serverless functions
functions:logsRead function invocation logs
ai:inferMake AI inference requests

CLI Login

Authenticate the CLI with an API key (create one in the console):

bash
scalix-cloud login

This prompts for your API key (it must start with scalix_sk_ or scalix_pat_), validates it, and stores it securely — in the OS keychain on macOS and Windows, or an owner-only (0600) ~/.scalix/token file on Linux. The key is never written to ~/.scalix/config.toml. You can also pass the key directly: scalix-cloud login scalix_sk_your_key_here.

Token Types

Two token types authenticate API requests:

  • API keys (scalix_sk_) — for server-side SDK usage and services. Scoped to your organization, optionally to a single project.
  • Personal access tokens (scalix_pat_) — for developer tools and the CLI.

Both are created from the console and remain valid until revoked. The API Keys page shows each key's last-used time — keys that show Never or a stale last-use are the first candidates for rotation or revocation.

App Authentication

For end-user authentication in your applications, use the auth SDK:

typescript
import { ScalixAuthClient } from "@scalix-world/auth";
 
const auth = new ScalixAuthClient({
  url: "https://api.scalix.world",
});
 
// Sign up a new user
const { user, session } = await auth.signUp("user@example.com", "secure-password");
 
// Sign in
const result = await auth.signInWithPassword("user@example.com", "secure-password");
 
// MFA enrollment
const factor = await auth.enrollMfa("totp", "My Phone");

Environment Variables

The CLI reads these environment variables (the SDKs take the API key as an explicit constructor argument):

VariableDescription
SCALIX_TOKENAPI key the CLI uses for authentication
SCALIX_API_URLAPI endpoint (default: https://api.scalix.world)