Authentication

APIFold uses a layered authentication approach: Clerk for user identity and AES-256-GCM for credential encryption.

Dashboard Authentication (Clerk)

The dashboard and all API endpoints (except health checks and webhooks) require authentication via Clerk.

The Next.js middleware protects these route patterns:

Marketing pages (/, /pricing, /docs) are publicly accessible.

Clerk handles session tokens automatically. Sessions are short-lived JWTs validated on every request. No session data is stored server-side.

API keys and bearer tokens for upstream APIs are encrypted at rest using the credential vault.

Storage: When you add a credential, the plaintext key is encrypted with VAULT_SECRET + VAULT_SALT and stored as ciphertext
Retrieval: When the MCP runtime needs to call your upstream API, it decrypts the credential in memory
Rotation: Credentials can be deleted and re-added at any time. Old ciphertext is permanently removed from the database

Variable	Description	Generation
`VAULT_SECRET`	Master encryption key (min 32 chars)	`openssl rand -base64 48`
`VAULT_SALT`	Key derivation salt (32-char hex)	`node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"`

MCP servers support three auth modes for client connections:

Mode	Description	Use Case
`none`	No authentication required	Local development, trusted networks
`api_key`	Clients must send an API key header	Shared team access
`bearer`	Clients must send a Bearer token	Production deployments

Configure the auth mode when creating or editing a server in the dashboard.