Skip to main content
All /api/v1/* requests require a bearer credential:
nxsk_ is the exclusive namespace for scoped partner credentials. A malformed, unknown, rotated, revoked, or unsupported nxsk_ value returns 401 and is never retried against the grandfathered legacy-key store. Each scoped key is bound at issuance to exactly one organization, one canonical named environment, a set of engine IDs, and a capability set. Those bindings come from the authenticated principal. Request bodies and query parameters cannot select another organization or environment.

Capabilities

A runtime key normally carries runs:write, runs:read, engines:read, and catalog:read. A webhook-admin key carries webhooks:manage. Grant runs:test and runs:defensibility:read only to principals that need those separate surfaces. Missing grants return 403 with code: insufficient_capability. Keys are returned only at issuance or rotation. Store them in a server-side secret manager. Never place them in browser code, logs, URLs, or repositories.

Authentication errors

If credential lookup is temporarily unavailable, the API returns 503 with code: auth_unavailable. Grandfathered nx_live_... and nx_test_... credentials retain broad access during the compatibility window. New partner integrations should use scoped nxsk_v1_... credentials.