Authentication

Conduix has two completely separate authentication surfaces. They never overlap, and the request middleware verifies them differently.

API keys (the SDK path)

Mint API keys at /dashboard/keys. Two prefixes:

• cx_live_… — production. Burns real credits.
• cx_test_… — non-billable test calls. Same code path, no charging. Great for CI.

POST /v1/chat/completions HTTP/1.1
Host: api.conduix.ai
Authorization: Bearer cx_live_a1b2c3d4…
Content-Type: application/json

{ "model": "gpt-4o-mini", "messages": [...] }

Per-key controls

Every key carries its own scoping config. Set these per-key from the dashboard:

Dashboard JWT

Humans logged into the customer or admin web UI use a JSON Web Token (HS256, 30-day TTL). Re-validated on every request against current org membership — a revoked membership invalidates outstanding JWTs immediately.

You won't typically interact with this directly; the dashboard handles it. If you need to call dashboard APIs from a script, log in via POST /api/auth/login.

Two-factor authentication

TOTP-based 2FA is optional for customers and mandatory for platform operators (anyone with admin-portal access). Enroll at /dashboard/settings/security.

• Compatible with 1Password, Authy, Bitwarden, Google Authenticator.
• 10 single-use recovery codes minted at enrollment — store them safely.
• Disable requires both your password and a current 2FA code.

Forgotten password

Reset at /forgot-password. Conduix emails a one-time reset link valid for 1 hour. The link is single-use; using it invalidates any other outstanding reset tokens for that account.

Security best practices

• Mint a separate key per environment (prod, staging, CI).
• Rotate keys on team changes — revoke and re-issue rather than rename.
• Use cx_test_ keys in CI to avoid burning credits on test runs.
• Set a per-key monthly budget so a leaked key can't drain the account.
• Enable 2FA on at least the dashboard owner account.