Connect AI / Docs

Docs/Authentication

Authentication

Every request to a Connect AI HTTP endpoint must carry an AI Client identity. End-user OAuth is layered on top, separately.

AI Client credentials

Name
Type
Required
Description
Authorization
string
required
Bearer <api-key>
X-Cortex-Client-Id
string
required
Public client identifier
X-Cortex-User-Id
string
optional
Required if the tool calls a per-user API
X-Cortex-App-Id
string
optional
Optional if toolId is composite

Validation is timing-safe

API keys are hashed at rest and compared with a timing-safe operation. Brute force probing produces no measurable timing signal.

Rotating an API key

  • From the portal → AI Clients → Rotate.
  • Programmatically via Firebase callable renewAiClientApiKey( clientId ).
  • After 90 days (recommended hygiene).

The old key is invalidated immediately.

End-user identity

End-user identity is your decision. Pass any stable string in X-Cortex-User-Id. We use it to:

  • Look up OAuth tokens scoped to that user.
  • Stamp the audit log.
  • Enforce per-user rate limits where configured.

We do NOT validate the value. See End-user OAuth for the flow that ties a real human to that string.

← Previous

Concepts

Next →

End-user OAuth