The Majestix AI Inference Hub supports three authentication methods depending on your client type.
API Key Authentication
Best for: VSCode extension, CLI tools, SDK integrations, any programmatic access.
Include your API key in the X-Api-Key header:
curl -H "X-Api-Key: inf_your_key_here" \
https://inference-api-611798501438.us-central1.run.app/models
All API keys use the inf_ prefix followed by URL-safe base64 characters.
curl -X POST https://inference-api-611798501438.us-central1.run.app/api-keys \
-H "Authorization: Bearer <firebase_id_token>" \
-H "X-Firebase-AppCheck: <app_check_token>" \
-H "Content-Type: application/json" \
-d '{"name": "My VSCode Key"}'
Redis-cached for 15 minutes
Immediate (invalidates cache)
Keys are hashed (SHA-256) before storage — the raw key is never stored
Keys are cached in Redis for 15 minutes to reduce Firestore reads
Failed lookups are not cached (prevents cache poisoning)
Revoking a key immediately invalidates its Redis cache entry
Firebase Authentication (Web App)
Best for: Browser-based web applications.
Web clients authenticate with two headers:
App Check uses reCAPTCHA Enterprise to verify the request comes from a legitimate web app, not a script or bot.
Failed auth attempts trigger IP lockout: 10 failures in 5 minutes = 15-minute block
App Check tokens are verified against Firebase on every request
ID tokens are verified via Firebase Admin SDK
OIDC Authentication (Service-to-Service)
Best for: Internal services (agent executor, Cloud Tasks).
The agent executor authenticates to the main API using a Google-signed OIDC token:
OIDC authentication:
Bypasses IP rate limiting (trusted service)
Passes user_id in the request body to charge credits to the correct user
Verified against an allowlist of service account emails
This method is not available to end users.
All clients are subject to rate limiting:
Requests per minute (configurable)
Exempt from IP rate limits
When rate limited, the API returns 429 Too Many Requests.
Last updated
