Skip to content
cronitorex.com
Cronitorex Cronitorex
ENPL

Authentication

All requests to the Cronitorex API must be authenticated. Two methods are supported.

Authorization: Bearer <api_key>

This is the recommended method for production crons, recurring clients, and any traffic that touches shared infrastructure — the token never appears in URLs, access logs, browser history, or Referer headers.

URL query parameter (convenience)

For one-off curl commands, IoT devices, GitHub Actions, or anywhere setting a header is awkward, you can pass the key as ?api_key=<token>:

Terminal window
curl "https://api.cronitorex.com/ping/my-job?api_key=<api_key>&status=complete"

Works on both GET and POST endpoints.

If the Authorization header is present but malformed or invalid, the request is rejected — the query parameter is not consulted as a silent fallback. This prevents accidental bypass when a captured request is replayed with ?api_key= appended.

Security tradeoffs

URL-embedded tokens are visible to:

  • HTTP access logs on every proxy, load balancer, and the server itself
  • The browser’s history (if used from a browser)
  • The Referer header sent by the browser to any third-party resource on the resulting page
  • Any error report or analytics tool that captures URLs

Use the URL method only for ad-hoc commands. Rotate the key if you suspect it has leaked into logs.

Getting your key

  1. Open app.cronitorex.com
  2. Go to ProfileAPI Key
  3. Copy the key — it is shown only once after generation

Key scope

Each API key is tied to a single user account. Events sent with a given key appear only in that user’s dashboard.

Errors

StatusMeaning
401 UnauthorizedMissing or invalid API key
403 ForbiddenKey exists but lacks permission
{ "error": "unauthorized" }