Skip to main content
An API key authenticates every request as a Bearer token (see Authentication). Keys come in two classes:
ClassCan do
UsageSubmit nesting requests. The default.
AdminEverything a Usage key can, plus manage browser origins and fairness.

Creating and managing keys

Key lifecycle — create, list, regenerate, and delete — is currently managed from your NestAPI dashboard, not through the API. Use the dashboard to issue an Admin or Usage key, set its expiry and parallelism, and rotate or disable it. Programmatic, API-key-driven key management is on the roadmap; this page will document those endpoints when they ship.
To check a key you already hold — validity and expiry — see Identity & key status.

Browser origins (CORS)

These endpoints are API-callable with an Admin key. For a key used from a browser, restrict which origins may call the API with it. Origins are matched exactly — scheme, host, and (non-default) port must all match.
EndpointMethodPurpose
/apikeys/{KeyId}/originsGETList allowed origins
/apikeys/{KeyId}/originsPOSTAdd an allowed origin
/apikeys/{KeyId}/originsDELETERemove an allowed origin
curl https://dev.api.nestapi.com/apikeys/YOUR_KEY_ID/origins \
  -X POST \
  -H "Authorization: Bearer YOUR_ADMIN_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "Origin": "https://app.example.com" }'
For local development add your dev server’s exact origin, e.g. http://localhost:3000http://localhost:3000, https://localhost:3000, and http://localhost:5173 are all distinct.
Keep long-lived keys server-side. Never ship an unrestricted key in browser or mobile code.