API keys

API keys authenticate every request from your backend to the Nora API. You'll spend time on this page early — once at setup to mint your first key, then again later when you rotate or revoke keys. Each key is scoped to a single instance (sandbox or production), so you manage them separately per environment.

Where to find it

Sidebar → API Keys. Available to anyone with the apiKey.read permission. Creating keys needs apiKey.create; revoking needs apiKey.delete. Members without read access see a locked state with a pointer to ask an admin.

Make sure the instance picker at the top of the dashboard is set to the right environment first — keys are instance-scoped, so the list and the create button both follow your current selection.

Create an API key

1. Click Create API key in the top right. (Button is disabled until an instance is selected.)
2. In the dialog, enter a Key name — something like "Production server" or "CI pipeline". Names are for your own bookkeeping.
3. Optionally pick an Expiration date. Leave it empty for a key that doesn't auto-expire. Minimum expiration is tomorrow.
4. Click Create key.
5. The dialog now shows the plaintext secret in a read-only field. Click the copy icon next to it and paste it into your secret manager before closing this dialog — Nora will not show the secret again.
6. Click Close when you've stored the key safely.

View keys

The table lists every key for the current instance with these columns:

• Name — whatever you entered at creation.
• Key — the masked prefix (e.g. sk_live_abc123…). The full secret is never shown here.
• Status — active, expired, or revoked.
• Expires — the expiration date, or "Never".
• Created — when the key was minted.

Revoke a key

1. Find the row for the key you want to revoke.
2. Click the trash icon at the end of the row (only shown for active keys you have permission to delete).
3. In the "Revoke API key?" confirmation, review the key name.
4. Click Revoke key. The key stops working immediately on the server side.

Revocation is permanent. If you revoked the wrong key, create a new one and rotate your backend config.

Gotchas

• Sandbox and production keys are separate. Switch the instance picker to see the other set. Sandbox keys have a sk_test_ prefix; production keys use sk_live_.
• The plaintext secret is shown exactly once. There's no in-place rotation — if you lose it, revoke the key and create a new one.
• Revoked keys fail with 401 api_key_revoked from the server side. Your backend will start seeing 401s immediately, so plan the cutover before you revoke.
• Create is disabled with no instance selected. If the button is greyed out, pick an instance in the top bar.
• Anyone on your team with apiKey.read can see the masked list, but only users with apiKey.create see the create button and only users with apiKey.delete see the revoke action.

See also

• Authentication (integrators) — how your backend sends the key with each request.
• Authentication core concept — scopes, key lifecycle, and rotation guidance.