Authentication
CRW keeps auth simple: use a Bearer token on the hosted API, and enable the same pattern on self-hosted deployments only when you need it.
Hosted API
Every authenticated request to the hosted API uses:
Authorization: Bearer YOUR_API_KEY
Example:
curl -X POST https://fastcrw.com/api/v1/scrape \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"url":"https://example.com","formats":["markdown"]}'
Self-Hosted API
Self-hosted CRW does not require auth unless you configure API keys.
Set one or more keys in config:
[auth]
api_keys = ["fc-key-1234", "fc-key-5678"]
Once keys are configured, every route under /v1/* and /mcp requires the same Bearer header.
Behavior
- No keys configured: self-hosted API routes are open
- Keys configured:
/v1/*and/mcprequireAuthorization: Bearer ... /healthalways stays public
Error Cases
{
"success": false,
"error": "Missing Authorization header"
}
{
"success": false,
"error": "Invalid API key"
}
Common Mistakes
- Forgetting the
Bearerprefix - Mixing a hosted key with a self-hosted deployment
- Turning on auth locally and forgetting that MCP over HTTP will also need the header
What To Read Next
- Quick Start for the first authenticated request
- API Playground for interactive testing
- Self-Hosting for private deployments