Authentication

All NeuroAPI requests are authenticated with a bearer key. Treat keys like passwords — never commit them to source control or expose them in client-side code.

Bearer token header

Include your key on every request with the Authorization header:

http

Authorization: Bearer nk_live_xxxxxxxxxxxxxxxxxxxx

Key format

Live keys are prefixed with nk_live_. The full secret is shown only once at creation time; only the prefix and a fingerprint are stored server-side, so we cannot recover a lost key — rotate it instead.

Creating, revoking and rotating

Manage keys at Dashboard → API Keys. You can create multiple keys per project (e.g. one per environment), revoke compromised keys instantly, and label keys for traceability in request logs.

Best practices

• Store keys in environment variables or a secrets manager.
• Use separate keys per environment (development, staging, production).
• Rotate keys on a regular cadence and immediately after suspected exposure.
• Call the API server-side only — never ship keys to browsers or mobile apps.

Never expose keys client-side

If your use case requires browser access, proxy requests through your own backend so the key stays on the server.

← Previous

Quickstart

Errors