- Store credentials in encrypted environment variables or a dedicated secrets manager like HashiCorp Vault or AWS Secrets Manager. Never commit keys to version control.
- Enforce IP allow-listing for production API keys via the network access controls panel. Restrict outbound requests to known CIDR ranges.
- Enable audit logging in your workspace settings to track key generation, token issuance, and permission changes. CronFlow retains event logs for 365 days.
- Rotate production credentials every 90 days and implement automated alerts for unused keys. The platform flags inactive credentials after 14 days of zero requests.
- Validate all webhook payloads using the
X-CronFlow-Signatureheader. Verify HMAC-SHA256 signatures against your webhook secret before processing inbound job callbacks.
Authentication | CronFlow Docs
Secure Access for CronFlow
Reliable background jobs, simplified. Manage API keys, rotate secrets, and implement OAuth2 for secure server-to-server communication.
API Keys & Secret Management
CronFlow uses scoped API keys to authenticate all programmatic requests. Each key is tied to a specific workspace and permission set, ensuring least-privilege access across your infrastructure.
Production Keys
Full access to queue management, webhook configuration, and execution logs. Prefixed with cf_prod_ and rate-limited to 10,000 requests per minute.
Staging Keys
Restricted to non-production environments. Prefixed with cf_stg_ and automatically expire after 90 days unless rotated via the dashboard.
Read-Only Keys
Ideal for monitoring dashboards and audit tools. Prefixed with cf_ro_ and limited to GET endpoints for job status and worker metrics.
To rotate a key without downtime, generate a successor key, update your environment variables, then revoke the legacy credential. CronFlow supports overlapping validity windows for zero-downtime rotation.
OAuth2 Server-to-Server Flow
For applications requiring delegated access or multi-tenant integrations, CronFlow supports the OAuth2 client credentials grant. This flow eliminates long-lived secrets by issuing short-lived access tokens tied to specific scopes.
Configure your integration by registering a client application in the CronFlow portal. You will receive a client_id and client_secret scoped to your organization. Exchange these credentials at https://api.cronflow.io/oauth/token to obtain a bearer token valid for 3600 seconds.
Supported scopes include jobs:read, jobs:write, workers:manage, and webhooks:configure. Attach the token to every request using the Authorization: Bearer <token> header. CronFlow automatically validates token expiry and revocation status before processing queue operations.
Security Best Practices
Protecting your background job infrastructure requires disciplined credential management and network hygiene. Follow these guidelines to maintain compliance and prevent unauthorized queue manipulation.
For organizations requiring SOC 2 Type II compliance, enable multi-factor authentication on all admin accounts and enforce role-based access control across your CronFlow workspaces.