CueAPI
Get API Key

Authentication

API keys, how auth works, and key management.

API keys

Every request to the CueAPI (except health, status, and auth endpoints) requires a Bearer token:

Authorization: Bearer cue_sk_YOUR_API_KEY

API keys start with cue_sk_ followed by 32 hex characters.

Getting an API key

  1. Go to cueapi.ai/signup
  2. Enter your email
  3. Your API key is displayed once — copy it immediately

How auth works

  1. Your API key is sent as a Bearer token in the Authorization header
  2. CueAPI hashes it with SHA-256 and checks against a Redis cache (5-minute TTL)
  3. On cache miss, it falls back to a PostgreSQL lookup
  4. If valid, the request proceeds with your user context (plan, limits, etc.)

Note

CueAPI never stores your API key in plaintext. Only the SHA-256 hash is stored in the database. The plaintext key is shown once at creation and never again.

Key management

Check your current key

bash
cueapi whoami

Or via API:

bash
curl https://api.cueapi.ai/v1/auth/me \
  -H "Authorization: Bearer cue_sk_YOUR_KEY"

Regenerate your key

If your key is compromised, regenerate it immediately:

bash
cueapi key regenerate

Warning

Regenerating your API key immediately revokes the old key. All requests using the old key will return 401 Unauthorized. Update your integrations before regenerating.

Credential resolution order

The CLI and worker resolve API keys in this order:

  1. --api-key flag (CLI) or api_key in config (worker)
  2. CUEAPI_API_KEY environment variable
  3. ~/.config/cueapi/credentials.json (saved by cueapi login)

Credential storage

Credentials are stored at:

OSPath
macOS / Linux~/.config/cueapi/credentials.json
Windows%APPDATA%\cueapi\credentials.json

The file has 600 permissions (owner read/write only) and supports multiple profiles:

json
{
  "default": {
    "api_key": "cue_sk_...",
    "email": "you@example.com",
    "api_base": "https://api.cueapi.ai"
  }
}
PreviousInstallationNextCues