API keys

Use API keys to authenticate server-to-server calls instead of a logged-in session. Send the key as Authorization: Bearer cf_live_…. Each key is scoped to read, write, or admin and can optionally expire. The full secret is shown once when you create the key — store it somewhere safe; we hash it on our side and can never recover it.