/api/v1/* requests require a bearer credential:
nxsk_ is the exclusive namespace for scoped partner credentials. A malformed,
unknown, rotated, revoked, or unsupported nxsk_ value returns 401 and is
never retried against the grandfathered legacy-key store.
Each scoped key is bound at issuance to exactly one organization, one canonical
named environment, a set of engine IDs, and a capability set. Those bindings
come from the authenticated principal. Request bodies and query parameters
cannot select another organization or environment.
Capabilities
A runtime key normally carries
runs:write, runs:read, engines:read, and catalog:read.
A webhook-admin key carries webhooks:manage. Grant runs:test and
runs:defensibility:read only to principals that need those separate surfaces.
Missing grants return 403 with code: insufficient_capability.
Keys are returned only at issuance or rotation. Store them in a server-side
secret manager. Never place them in browser code, logs, URLs, or repositories.
Authentication errors
503 with
code: auth_unavailable.
Grandfathered nx_live_... and nx_test_... credentials retain broad access
during the compatibility window. New partner integrations should use scoped
nxsk_v1_... credentials.