Skip to main content

API keys

Nuvion authenticates requests using API keys passed as Bearer tokens in the Authorization header. 
Authorization: Bearer nv_test_xxxxx
API keys come in two forms:
Key prefixEnvironmentBase URL
nv_test_Sandboxhttps://api.nuvion.dev
nv_live_Productionhttps://api.nuvion.co
No real funds move in sandbox. Always use nv_test_ keys during development and testing.

Getting your API keys

API keys are environment-specific. Sandbox and production keys are managed separately.

Sandbox keys

Create and manage sandbox keys from the Nuvion sandbox dashboard.

Production keys

Create and manage production keys from the Nuvion production dashboard.

Key scopes

API keys inherit the permissions of the user who created them. A key can only perform actions that its creator is authorized to perform within your organization. For example:
  • A key created by an admin can access all resources.
  • A key created by a user with read-only access can only perform GET requests.
Create dedicated API keys for each service or integration. This limits the blast radius if a key is compromised and makes it easier to audit which service made a given request.

Making authenticated requests

Pass your API key in the Authorization header on every request. 
curl https://api.nuvion.dev/accounts \
  -H "Authorization: Bearer nv_test_xxxxx"
Requests without a valid key return a 401 error: 
{
  "error": {
    "code": "unauthorized",
    "message": "No valid API key provided."
  }
}
Requests made with a key that lacks the required permissions return a 403 error: 
{
  "error": {
    "code": "forbidden",
    "message": "Your API key does not have permission to perform this action."
  }
}

Keeping keys secure

API keys carry the same privileges as your account credentials. Never expose them in client-side code, public repositories, or logs.
  • Store keys in environment variables or a secrets manager — never hardcode them.
  • Rotate keys immediately if you suspect they have been compromised. You can do this from your dashboard without downtime by creating a new key before deleting the old one.
  • Delete keys that are no longer in use.

IP allowlisting

For webhook endpoints, Nuvion supports IP allowlisting to restrict inbound delivery to Nuvion’s IP ranges only. Contact support to obtain the list of Nuvion IP addresses and configuration details.