Skip to main content
Nomiq authenticates every inbound API request using HTTP Bearer tokens in the form of API keys. There are no session cookies, OAuth flows, or temporary tokens to manage — you generate a key once in the Dashboard, store it securely in your environment, and include it in the Authorization header of every request you make. This page walks you through exactly how to do that, what the two key types mean, and how to keep your credentials safe.

Finding and Generating API Keys

API keys are created and managed in the Nomiq Dashboard under Workspace Settings → API Keys. Click Create New Key, give it a descriptive label (for example, production-backend or ci-pipeline), and copy the full key value immediately — Nomiq will only display the secret once. If you navigate away before copying, revoke the key and generate a fresh one. You must be on an Agency or Pro billing tier to generate API keys. Free tier accounts do not have API access enabled.

Test Keys vs. Live Keys

Nomiq provides two classes of API key to keep your development and production environments fully isolated. Use Test keys for all local development, automated testing, and CI/CD pipelines. Switch to a Live key only in your production deployment. Test key usage is completely free and does not affect your monthly quota.
Never use a Live key (sk_live_...) in your local development environment or CI/CD test suite. Every request made with a Live key is metered and billed to your workspace. Automated test suites that fire dozens of requests per run can accumulate significant charges quickly.

Passing Your API Key in Requests

Include your API key in the Authorization header of every HTTP request as a Bearer token. The format is always Authorization: Bearer <your_key> — note the single space between Bearer and your key value.

Storing Keys Securely

The single most important security rule is: never commit an API key to source control. Beyond that, follow these practices to keep your credentials safe across every environment. Use environment variables. Store your key in a .env file locally and in your host’s secret management system (for example, AWS Secrets Manager, Heroku Config Vars, or Vercel Environment Variables) in production. Load it into your application at runtime — never at build time.
.env
Ensure .env is listed in your .gitignore before your first commit:
Terminal
Proxy all requests through your backend. Never embed a Nomiq API key in a client-side application — a React SPA, mobile app, or browser extension. Any key visible in client-side code or network traffic can be extracted and misused by third parties. Route all Nomiq calls through a server you control. Scope keys by environment and service. Create separate keys for each deployment environment (development, staging, production) and for each distinct service or pipeline that calls Nomiq. This way, if one key is compromised, you can revoke it without disrupting other services.

Authentication Error Codes

The table below covers every authentication-related HTTP status code you may encounter, along with its most common cause and the recommended fix.

Key Rotation Workflow

If you suspect a key has been compromised, rotate it immediately using this zero-downtime procedure.
1

Generate a Replacement Key

In the Nomiq Dashboard, navigate to Workspace Settings → API Keys and click Create New Key. Label it clearly (for example, production-backend-2) and copy the value immediately.
2

Deploy the New Key

Update the NOMIQ_API_KEY environment variable in your production environment to the new key value and restart your application or trigger a redeployment. Confirm that requests are succeeding with the new key before proceeding.
3

Revoke the Old Key

Return to Workspace Settings → API Keys, find the old key, and click Revoke. Any request that still carries the old key will immediately receive a 401 Unauthorized response.
Never commit API keys to source control — not even in private repositories. Nomiq’s automated security scanners continuously monitor public GitHub repositories for leaked sk_live_... keys. If one is detected, it is revoked automatically and you will receive an email alert. Treat a committed key as fully compromised regardless of repository visibility.

Next Steps

API Reference Overview

Review base URL conventions, pagination parameters, and idempotency headers used across all endpoints.

Rate Limits

Understand per-plan request limits and how to handle 429 errors gracefully in your integration.