Securing API keys and using an IP allowlist
Your CronJobPro API key grants full access to create, update, delete, and trigger jobs through the REST API. Treat it like a password: keep it server-side, rotate it regularly, and lock it down to the networks that actually need it.
Keep keys secret
The API authenticates requests with a key sent in the X-Api-Key header. Anyone holding that key can act as you, so it must never reach a browser, a mobile app, or any client-side code.
- Use keys only from server-side code, never in front-end JavaScript or shipped apps.
- Store the key in an environment variable or a secrets manager, not hard-coded in source.
- Keep keys out of version control, logs, screenshots, and support tickets.
- Use a separate key per environment (development, staging, production) so you can revoke one without breaking the others.
# Read the key from the environment, never inline it
curl https://cronjobpro.com/api/jobs \
-H "X-Api-Key: $CRONJOBPRO_API_KEY"If a key is ever exposed (committed to a repo, pasted in a chat, or leaked in logs), delete it immediately under Settings then API Keys and create a fresh one. Deleting a key revokes it instantly.
Rotate keys regularly
- 1
Create a new key
Go to Settings then API Keys and create a replacement key, optionally with the same IP allowlist as the old one.
- 2
Roll it out
Update the environment variable or secret in each service that calls the API, then redeploy or restart so the new key takes effect.
- 3
Verify, then revoke
Confirm your jobs and integrations still work, then delete the old key. Rotate on a schedule and any time someone with access leaves.
Restrict a key with an IP allowlist
Each API key can carry an optional IP allowlist made up of CIDR ranges. When set, requests are accepted only from source IPs inside those ranges, so a stolen key is useless from anywhere else. Add the static IPs of your servers or your office network.
| Scenario | Example CIDR |
|---|---|
| A single server | 203.0.113.10/32 |
| A small office subnet | 198.51.100.0/24 |
| No restriction (any IP) | leave the allowlist empty |
Use the narrowest range that still covers your callers. A /32 pins access to one exact IP, which is the safest option when your caller has a stable address.
What CronJobPro protects on its side
Optional request headers you store on a job, which often carry tokens or auth values for your target endpoint, are encrypted at rest. Even so, scope every secret as tightly as you can and combine key rotation with an IP allowlist for defense in depth.