Cron Jobs

Your cron job has a plaintext API key. So does the attacker.

A billing sync, a health check, a nightly data export. The API key is in a .env file or crontab on the server. If the server is compromised, the key works from anywhere.

The problem with API keys in scheduled tasks

Keys sit in plaintext on disk
The API key lives in a .env file, a crontab, or a systemd unit. Anyone with server access can read it and use it from any machine.
No way to distinguish the cron job from an attacker
If someone copies the key, their requests look identical to the cron job's. Your logs show the same API key for both.
Rotation means updating every server
If you rotate the key, every cron job on every server that uses it needs updating simultaneously. Miss one and the job fails silently at 3 AM.

The solution

// Cron script — signs every request with device identity
import { amesh } from '@authmesh/sdk';

const res = await amesh.fetch(
  'https://api.internal/billing/sync',
  { method: 'POST', body: JSON.stringify({ date: '2026-04-01' }) }
);

console.log(`Sync complete: ${res.status}`);

What changes

Before
API key in .env or crontab
Can't tell cron job from attacker
Compromised server = key works anywhere
After
Device-bound key signs the request automatically
req.authMesh.deviceId on every request
amesh revoke kills that device only
Related
Doc Integration Guide
Express setup, remote pairing, Redis nonce store
Use Cases
Webhooks
Use Cases
Internal Tools