Carpathian Logo
Api Usage
API Keys & Access

Carpathian Cloud documentation on using api keys for ssh and remote access to your spark servers and development environment.

5 min read
1 views
API Keys & Access

All access keys for Carpathian are managed in one place: Developer > API Keys.

There are four types of keys. Each one controls access to a different part of the platform.

Key Types

Server API Key (cpk_)

Server API keys authenticate programmatic access to your servers. Use them for CI/CD deployments, automation scripts, and SSH gateway authentication.

What it does:

  • Trigger and monitor deployments
  • Start, stop, and restart servers
  • View server details and metrics
  • Authenticate to the SSH gateway (use the key as your SSH password)

How to create:

  1. Go to Developer > API Keys > Server tab
  2. Click Create Key
  3. Enter a name, select a server, and choose a permission scope
  4. Copy and save the key immediately — it is shown only once

Permission scopes:

  • Deployment — Trigger deployments, view deployment status and logs
  • Read Only — View server details and metrics (no write access)
  • Server Control — Start, stop, and restart the server
  • Full Access — All available permissions

Usage example:

curl -H "Authorization: Bearer cpk_your_key_here" \
  https://api.carpathian.ai/api/v1/servers

SSH Public Key

SSH public keys let you log in to the SSH gateway without a password. Register the public key from your computer, then connect using your private key automatically.

What it does:

  • Authenticates you to the SSH gateway at ssh.carpathian.ai:2222
  • No password required once registered

How to create:

  1. Go to Developer > API Keys > SSH tab
  2. Click Create Key
  3. Enter a name (e.g., "MacBook Pro")
  4. Paste your public key (from ~/.ssh/id_ed25519.pub or ~/.ssh/id_rsa.pub)

Connecting via SSH gateway:

ssh vm-<server_id>@ssh.carpathian.ai -p 2222

Replace <server_id> with your server's hashed ID (shown on the routing page).

Supported key types: ed25519, RSA, ECDSA

AI Instance Key (cai_)

AI instance keys grant access to Carpathian-hosted AI models. When you subscribe to an AI plan, you can create instances that each get their own API key with independent usage tracking.

What it does:

  • Access Carpathian-hosted AI models (Claude, GPT, etc.)
  • Each instance tracks tokens and requests independently
  • Per-instance rate limits and token budgets

How to create:

  1. Go to Developer > API Keys > AI Managed tab
  2. Click Create Key
  3. Enter an instance name and select a model
  4. Copy and save the key immediately — it is shown only once

Requirements: An active AI subscription is required. Available models depend on your plan.

Usage example:

curl -H "Authorization: Bearer cai_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"model": "claude-sonnet-4-6", "messages": [{"role": "user", "content": "Hello"}]}' \
  https://api.carpathian.ai/ai/chat

Managing instances: Click "Manage" on any instance to configure token budgets, rate limits, and model settings at the AI Instances detail page.

AI Proxy Key — BYOK (cpx_)

AI Proxy keys let you route AI requests through Carpathian to your own provider account (Anthropic, OpenAI, or any OpenAI-compatible API). Carpathian adds usage tracking, rate limiting, content filtering, and request logging.

What it does:

  • Routes your AI requests through Carpathian's proxy
  • You provide your own provider API key (Bring Your Own Key)
  • Carpathian tracks tokens, requests, and costs
  • IP allowlisting and content filtering available per key

How to create:

  1. Go to Developer > API Keys > AI Proxy tab
  2. Click Create Key
  3. Enter a name, select your AI provider, and paste your provider's API key
  4. Copy and save the proxy key immediately — it is shown only once

Supported providers: Anthropic (Claude), OpenAI, Other (OpenAI-compatible)

Usage example:

curl -H "Authorization: Bearer cpx_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"model": "claude-sonnet-4-6", "messages": [{"role": "user", "content": "Hello"}]}' \
  https://api.carpathian.ai/ai/proxy

Your provider API key is encrypted at rest and never exposed. Carpathian proxies your request using the stored key.

Managing proxy keys: Click "Manage" on any proxy key to configure rate limits, model allowlists, IP firewall rules, and view request logs.

SSH Gateway Authentication

The SSH gateway at ssh.carpathian.ai:2222 supports two authentication methods:

Option 1: Server API Key (as password)

ssh vm-<server_id>@ssh.carpathian.ai -p 2222
# When prompted for password, enter your cpk_ API key

Option 2: SSH Public Key (passwordless)

ssh vm-<server_id>@ssh.carpathian.ai -p 2222
Automatically uses your registered public key

The server must have SSH gateway enabled (configure under Networking > Routing).

Security

Firewall (IP allowlisting)

Restrict which IP addresses can use your keys. Configure firewall rules at Networking > Firewall. Rules can scope to SSH Gateway, API, and AI endpoints independently.

Key rotation

Server API keys, AI instance keys, and AI proxy keys can be rotated. Rotation generates a new key and immediately revokes the old one.

Auto-lock

Server API keys are automatically locked after repeated failed authentication attempts from unauthorized IPs. Unlock them from the key management view.

Key revocation

Revoke a key to permanently disable it without deleting the audit trail. Revoked keys cannot be re-enabled.

This documentation is open to the public to make the platform API available for customers. However, since Carpathian Cloud is still in beta and being actively developed, this document might be outdated or incorrect. If you find anything confusing or misleading, please send an email to info@carpathian.ai.