Internal API Key Usage Guide

The internal API key is a secret key used to authenticate requests made to Mindful Auth’s APIs. It is essential for validating your portal sessions (the internal api key must be added as a enviromental variable on the frontend framework) and for performing administrative actions such as locking or unlocking member accounts.

Encryption details

The Internal API Key uses AES-GCM-256 encryption with per-tenant key derivation via HKDF-SHA256. Master key combined with unique tenantSalt per tenant. Same encryption pattern used for 2FA secrets, backend credentials, and Turnstile secrets. Encrypted form stored in Cloudflare KV, decrypted on-demand for validation.

You can find your internal API key in the Mindful Auth admin portal under the “Internal API Key” section for your hostnames. Note that the internal API key is different for every hostname you onboard (unless they share the same app ID).