Authentication | CourseForge

The CourseForge API uses API keys for authentication. This guide covers how to generate, use, and manage your API keys securely.

Authentication Methods

API Key Authentication

Include your API key in the Authorization header of every request:

Authorization: Bearer cf_prod_YOUR_API_KEY

Alternatively, use the X-API-Key header:

X-API-Key: cf_prod_YOUR_API_KEY

API Key Format

API keys follow this format: cf_[environment]_[32_characters]

Production keys: cf_prod_...
Test keys: cf_test_... (future feature)

Creating API Keys

Via Web Dashboard

Log in to CourseForge
Go to Settings → API Keys
Click Create API Key
Enter a descriptive name
Click Create
Copy and securely store your key

Warning: Keys are only shown once. If you lose a key, you must revoke it and create a new one.

Via API

You can also create API keys programmatically using the Firebase Authentication token:

curl -X POST https://courseforge.caringai.app/api/v1/api-keys \
  -H "Authorization: Bearer YOUR_FIREBASE_ID_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "Production Server"}'

Managing API Keys

Listing Keys

curl https://courseforge.caringai.app/api/v1/api-keys \
  -H "Authorization: Bearer YOUR_FIREBASE_ID_TOKEN"

Revoking Keys

curl -X DELETE https://courseforge.caringai.app/api/v1/api-keys/{keyId} \
  -H "Authorization: Bearer YOUR_FIREBASE_ID_TOKEN"

Security Best Practices

Protect Your Keys

Never commit API keys to version control
Store keys in environment variables
Use secrets managers in production
Rotate keys regularly (every 90 days)

Key Rotation

Create a new API key
Update your application to use the new key
Test thoroughly
Revoke the old key

Monitoring Usage

Monitor API usage in your dashboard
Set up alerts for unusual activity
Review API logs regularly
Revoke compromised keys immediately

Example: Environment Variables

.env (local development):

COURSEFORGE_API_KEY=cf_prod_abc123def456...

Code:

const apiKey = process.env.COURSEFORGE_API_KEY

fetch('https://courseforge.caringai.app/api/v1/courses', {
  headers: {
    'Authorization': `Bearer ${apiKey}`
  }
})

Error Codes

Code	Description
`401`	Invalid or missing API key
`403`	API key doesn't have required permissions
`429`	Rate limit exceeded

Master API Key (MCP)

For MCP (Model Context Protocol) clients like Claude Desktop, you can use a master API key:

Set in environment as MCP_MASTER_API_KEY
Grants access to all MCP tools
Used for AI assistant integrations

Note: The master key is more powerful - protect it carefully.