Authentication
API keys, personal access tokens, and app authentication
Overview
Scalix Cloud uses a unified IAM system for authentication and authorization. Every request to the API requires a valid token.
API Keys
API keys are the simplest way to authenticate. Create one from the dashboard.
Use it in requests:
curl -H "Authorization: Bearer scalix_sk_your_key_here" \
https://api.scalix.world/v1/functionsScopes
API keys support fine-grained scopes:
| Scope | Description |
|---|---|
database:query | Run SQL queries against your database |
database:branch | Create and manage database branches |
database:admin | Full database administration |
compute:deploy | Deploy container workloads |
compute:scale | Scale deployments and services |
compute:logs | Read deployment logs |
storage:read | Read objects from storage |
storage:write | Upload and delete storage objects |
functions:deploy | Deploy serverless functions |
functions:invoke | Execute serverless functions |
functions:logs | Read function invocation logs |
ai:infer | Make AI inference requests |
CLI Login
Authenticate the CLI with an API key (create one in the console):
scalix-cloud loginThis prompts for your API key (it must start with scalix_sk_ or scalix_pat_), validates it, and stores it securely — in the OS keychain on macOS and Windows, or an owner-only (0600) ~/.scalix/token file on Linux. The key is never written to ~/.scalix/config.toml. You can also pass the key directly: scalix-cloud login scalix_sk_your_key_here.
Token Types
Two token types authenticate API requests:
- API keys (
scalix_sk_) — for server-side SDK usage and services. Scoped to your organization, optionally to a single project. - Personal access tokens (
scalix_pat_) — for developer tools and the CLI.
Both are created from the console and remain valid until revoked. The API Keys page shows each key's last-used time — keys that show Never or a stale last-use are the first candidates for rotation or revocation.
App Authentication
For end-user authentication in your applications, use the auth SDK:
import { ScalixAuthClient } from "@scalix-world/auth";
const auth = new ScalixAuthClient({
url: "https://api.scalix.world",
});
// Sign up a new user
const { user, session } = await auth.signUp("user@example.com", "secure-password");
// Sign in
const result = await auth.signInWithPassword("user@example.com", "secure-password");
// MFA enrollment
const factor = await auth.enrollMfa("totp", "My Phone");Environment Variables
The CLI reads these environment variables (the SDKs take the API key as an explicit constructor argument):
| Variable | Description |
|---|---|
SCALIX_TOKEN | API key the CLI uses for authentication |
SCALIX_API_URL | API endpoint (default: https://api.scalix.world) |