Authentication
API keys, sandbox vs production, and rotation.
Every Nora /v2/* request authenticates with a single header:
X-API-Key: sk_test_...There are no bearer tokens, no OAuth, no cookie flow for the public API. The key is the only credential.
What a key binds to
Each key is scoped to one Organization × Instance pair. The key
itself encodes which org and which environment (sandbox / production)
the call applies to — you never send X-Organization-ID or similar
headers.
| Environment | Base URL | Key prefix |
|---|---|---|
| Sandbox | https://staging.api.nora.finance | sk_test_ |
| Production | https://api.nora.finance | sk_live_ |
A sandbox key cannot call production and vice versa — you'll get a
401.
Creating a key
Create, list, and revoke keys via the dashboard at Settings → API Keys. See Dashboard → API keys for the UI walkthrough.
Rotation
There is no in-place rotate. Rotation is:
- Create a new key with a descriptive name (e.g.
backend-2026-04). - Swap the secret into your config.
- Deploy, verify traffic flows.
- Revoke the old key.
Revoked keys immediately return 401. If you need to distinguish
"never valid" from "rotated out from under this deploy" in your
operational tooling, inspect the response body — when present, a
machine-readable code field can disambiguate.
Gotchas
- Plaintext is shown once. Store it in your secret manager the moment you create the key.
- Keys are scoped. Do not try to use a sandbox key against production or vice versa — it is always a 401.
See also
- Errors — auth-related error codes
- Dashboard → API keys