How to manage authentication for private functions

Reviewed on November 24, 2025

Important

Scaleway Serverless Functions used to rely on JWT authentication tokens to access private resources. This feature is now deprecated, you must therefore use Scaleway IAM to access your private functions using an API key.

This page shows you how to manage authentication for private functions from the Scaleway console.

Before you start

To complete the actions presented below, you must have:

A Scaleway account logged into the console
Owner status or IAM permissions allowing you to perform actions in the intended Organization
A functions namespace
A function

Managing authentication from the Scaleway console

Serverless Functions used to rely on a legacy token-based authentication to call private functions. Scaleway IAM offers a modern way to access private resources using API keys.

Calling private functions

To call a private function, you have to add the secret key of the previously created API key to a X-Auth-Token header.

A private function observes this behavior:

If a call is made without the X-Auth-Token header, the call is rejected (status code 403).
If the X-Auth-Token header is provided, the token is validated using the IAM API public key corresponding to the private key provided.

For example, to execute a private function by providing a secret key using curl, run the following command:

curl -H "X-Auth-Token: <API_SECRET_KEY>" <YOUR_FUNCTION_ENDPOINT>

Before you start

Managing authentication from the Scaleway console

Calling private functions

Revoking authentication