Authentication
Convoy uses API key authentication to provide secure, multi-tenant access to the batch processing API.
Getting Your API Key
API keys are provisioned directly from the Convoy dashboard at cnvy.ai :
- Sign in to your account at cnvy.ai
- Navigate to your project
- Go to API Keys and create a new key
- Copy the key — it is shown only once
Save your API key! The full key is only shown once at creation. Store it securely.
Projects
Projects provide multi-tenant isolation in Convoy. Each project:
- Has a unique slug (e.g.,
my-project) for identification - Contains its own set of API keys
- Owns its cargo requests — requests are scoped to the project that created them
- Can be activated/deactivated without deleting data
API Keys
API keys authenticate requests to the cargo operations endpoints (/cargo/load, /cargo/{id}/tracking).
Key Format
Keys follow the format: convoy_sk_ followed by 32 random characters.
convoy_sk_7kX9mP2nQ4rT6vW8yB0cD3fG5hJ
└──────┘ └────────────────────────────┘
prefix random partKey Lifecycle
- Creation — Provisioned via the Convoy dashboard
- Distribution — Full key shown once at creation; store securely
- Usage — Include in
X-API-Keyheader for cargo operations - Tracking —
last_used_atupdated on each use - Expiration — Optional expiration date
- Revocation — Keys can be deactivated without deletion
Security Note: API keys are stored as SHA-256 hashes. The full key cannot be retrieved after creation.
Key Properties
| Property | Description |
|---|---|
name | Human-readable identifier (e.g., “Production”, “Development”) |
key_prefix | First 12 characters for identification |
is_active | Whether the key can be used |
expires_at | Optional expiration timestamp |
last_used_at | Last successful authentication |
Making Authenticated Requests
Include your API key in the X-API-Key header:
curl -X POST https://api.cnvy.ai/cargo/load \
-H "Content-Type: application/json" \
-H "X-API-Key: convoy_sk_your_key_here" \
-d '{
"params": {"model": "claude-sonnet-4-5", "messages": [...]},
"callback_url": "https://example.com/callback"
}'Authenticated Endpoints
| Method | Endpoint | Description |
|---|---|---|
POST | /cargo/load | Submit request for batch processing |
GET | /cargo/{cargo_id}/tracking | Get request status |
Error Responses
401 Unauthorized
Returned when authentication fails:
{"detail": "API key required. Include X-API-Key header."}
{"detail": "Invalid API key format."}
{"detail": "Invalid API key."}
{"detail": "API key has expired."}403 Forbidden
Returned when the project is inactive:
{"detail": "Project is inactive."}404 Not Found
Returned when accessing cargo not owned by the authenticated project:
{"detail": "Cargo not found"}Best Practices
- Use separate keys per environment — Create distinct keys for development, staging, and production
- Set expiration dates — For temporary access or contractor keys
- Rotate keys periodically — Create new key, update clients, revoke old key
- Monitor usage — Check
last_used_atto identify unused keys - Use HTTPS — Always use TLS to protect keys in transit