Authentication

CorePlexML supports two authentication mechanisms. For programmatic access (API calls, SDK, CI/CD pipelines), use Bearer tokens (API keys).

API Key Authentication

Generate an API key from the web UI under Settings > API Keys, or programmatically via the auth API.

Include the key in every request as a Bearer token:

Authorization: Bearer cpx_live.abc123def456...

curl example:

export BASE_URL="https://your-domain.com"
export API_KEY="cpx_live.abc123def456"

curl "$BASE_URL/api/projects" \
  -H "Authorization: Bearer $API_KEY"

Python ``requests`` example:

import requests

BASE_URL = "https://your-domain.com"
headers = {"Authorization": "Bearer cpx_live.abc123def456"}

resp = requests.get(f"{BASE_URL}/api/projects", headers=headers)
projects = resp.json()

SDK example:

from coreplexml import CorePlexMLClient

client = CorePlexMLClient(
    base_url="https://your-domain.com",
    api_key="cpx_live.abc123def456",
)
projects = client.projects.list()

Creating an API Key Programmatically

First authenticate with email/password to get a session, then create a key:

# Login to get session cookie
curl -X POST "$BASE_URL/api/auth/login" \
  -H "Content-Type: application/json" \
  -c cookies.txt \
  -d '{"email": "you@example.com", "password": "your-password"}'

# Create API key
curl -X POST "$BASE_URL/api/auth/api-keys" \
  -b cookies.txt \
  -H "Content-Type: application/json" \
  -d '{"name": "CI Pipeline", "scopes": ["read", "write", "predict"]}'

The response contains the full key – store it securely. The key is shown only once.

API Key Scopes

Each key carries one or more scopes that restrict its permissions:

Scope	Permissions
read	List and view all resources (projects, datasets, models, etc.)
write	Create, update, and delete resources
predict	Make predictions via models and deployments
admin	Manage users, settings, and other API keys

A key with scopes ["read", "predict"] can list models and make predictions but cannot create projects or delete datasets.

Session Authentication

Session-based authentication is used by the web UI. After calling POST /api/auth/login with email and password, the server sets an HttpOnly cookie that is sent automatically on subsequent requests.

This method is useful for browser-based integrations or testing with tools like Postman:

session = requests.Session()
session.post(f"{BASE_URL}/api/auth/login", json={
    "email": "you@example.com",
    "password": "your-password",
})
# session now carries the cookie
resp = session.get(f"{BASE_URL}/api/projects")

Error Responses

Authentication failures return one of:

• 401 Unauthorized – Missing or invalid API key / session.

• 403 Forbidden – Valid credentials but insufficient scopes.

• 429 Too Many Requests – Rate-limited (login and password endpoints).

{
  "detail": "Invalid or expired API key"
}

See also

• Authentication – Full authentication API reference.

• Error Handling – Complete error code reference.