An API key authenticates every request as a Bearer token (see Authentication).
Keys come in two classes:
| Class | Can do |
|---|
| Usage | Submit nesting requests. The default. |
| Admin | Everything a Usage key can, plus manage browser origins and fairness. |
Creating and managing keys
Key lifecycle — create, list, regenerate, and delete — is currently managed from your
NestAPI dashboard, not through the API. Use the dashboard to issue an Admin or Usage key,
set its expiry and parallelism, and rotate or disable it. Programmatic, API-key-driven key
management is on the roadmap; this page will document those endpoints when they ship.
To check a key you already hold — validity and expiry — see
Identity & key status.
Browser origins (CORS)
These endpoints are API-callable with an Admin key. For a key used from a browser,
restrict which origins may call the API with it. Origins are matched exactly — scheme,
host, and (non-default) port must all match.
| Endpoint | Method | Purpose |
|---|
/apikeys/{KeyId}/origins | GET | List allowed origins |
/apikeys/{KeyId}/origins | POST | Add an allowed origin |
/apikeys/{KeyId}/origins | DELETE | Remove an allowed origin |
curl https://dev.api.nestapi.com/apikeys/YOUR_KEY_ID/origins \
-X POST \
-H "Authorization: Bearer YOUR_ADMIN_KEY" \
-H "Content-Type: application/json" \
-d '{ "Origin": "https://app.example.com" }'
For local development add your dev server’s exact origin, e.g. http://localhost:3000 —
http://localhost:3000, https://localhost:3000, and http://localhost:5173 are all
distinct.
Keep long-lived keys server-side. Never ship an unrestricted key in browser or mobile code.