MedYan

Security Endpoint Matrix

This matrix describes which API areas are public and which require API key authentication.

Global behavior

• API key auth middleware is active globally.
• Public access is controlled by environment flags:
  • PUBLIC_DETECTION_ENABLED
  • PUBLIC_EXTRACT_ENABLED
  • PUBLIC_NEXUS_SUBMIT_ENABLED

Endpoint groups

Endpoint Pattern	Default (dev/local)	Recommended (production)	Controlled By
/health, /, static assets (/css, /js)	Public	Public	Always public
/proxy/detect	Public	API key required	PUBLIC_DETECTION_ENABLED
/proxy/extract, /proxy/download/raw, /proxy/jobs/:id, /proxy/download/:id	Public	API key required	PUBLIC_EXTRACT_ENABLED
/api/v1/extract	Public	API key required	PUBLIC_EXTRACT_ENABLED
/api/v1/nexus/public_key, /api/v1/nexus/submit	Public	API key required	PUBLIC_NEXUS_SUBMIT_ENABLED
/api/v1/auth/* (when enabled)	Public	Public	Feature-flagged auth flow
/api/admin/*	API key required	API key required	Always protected
/api/history/*	API key required	API key required	Always protected
/api/v1/nexus/status	JWT required	JWT required	middleware.Protected

Practical profiles

Local development

Use in .env.local:

PUBLIC_DETECTION_ENABLED=true
PUBLIC_EXTRACT_ENABLED=true
PUBLIC_NEXUS_SUBMIT_ENABLED=true

Production

Use in production env:

PUBLIC_DETECTION_ENABLED=false
PUBLIC_EXTRACT_ENABLED=false
PUBLIC_NEXUS_SUBMIT_ENABLED=false

Then call protected endpoints with:

• X-API-Key: <key>
• or Authorization: Bearer <key>