API keys
API keys are project-scoped and come in two types:
| Type | Used for | Accepted by |
|---|---|---|
secret (nrn_sk_...) | Server-side calls to platform-api, service-api, and MCP. | platform-api, service-api, MCP |
publishable (nrn_pk_...) | Browser-facing surfaces (e.g. the web widget). | Not accepted by service-api or MCP. |
A key is the grant — presenting a valid secret key resolves directly to
{ apiKeyId, projectId, organizationId, keyType } with no further membership check. There is no
concept of “this key acts as user X” — it acts for the project it was minted under.
Minting a key
Section titled “Minting a key”- Create (or use) a platform-type project.
- On
platform.v2.nairon.xyz, go to that project’s API Keys page. - Click Create key, choose the type, and copy the plaintext value immediately — it is shown only once. Nairon stores only a SHA-256 hash plus the key’s prefix/last-4 for display.
- Revoke a key from the same page at any time; revocation is immediate.
Verifying a key
Section titled “Verifying a key”curl https://api.v2.nairon.xyz/v1/me -H "Authorization: Bearer NAIRON_API_KEY"{"apiKeyId": "...", "projectId": "...", "organizationId": "...", "keyType": "secret"}Never commit real keys
Section titled “Never commit real keys”Treat nrn_sk_... keys like any other credential — never commit them, and never embed a real key
in a shared code sample. All examples in this documentation use the placeholder NAIRON_API_KEY.