> ## Documentation Index
> Fetch the complete documentation index at: https://dev-docs.nestapi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# API keys

> Key classes, lifecycle, and browser-origin (CORS) control.

An **API key** authenticates every request as a Bearer token (see [Authentication](/authentication)).
Keys come in two classes:

| Class     | Can do                                                                                    |
| --------- | ----------------------------------------------------------------------------------------- |
| **Usage** | Submit nesting requests. The default.                                                     |
| **Admin** | Everything a Usage key can, plus manage browser origins and [fairness](/account/profile). |

## Creating and managing keys

<Note>
  Key lifecycle — **create, list, regenerate, and delete** — is currently managed from your
  **NestAPI dashboard**, not through the API. Use the dashboard to issue an Admin or Usage key,
  set its expiry and parallelism, and rotate or disable it. Programmatic, API-key-driven key
  management is on the roadmap; this page will document those endpoints when they ship.
</Note>

To check a key you already hold — validity and expiry — see
[Identity & key status](/account/profile).

## Browser origins (CORS)

These endpoints **are** API-callable with an **Admin** key. For a key used from a browser,
restrict which **origins** may call the API with it. Origins are matched **exactly** — scheme,
host, and (non-default) port must all match.

| Endpoint                   | Method | Purpose                  |
| -------------------------- | ------ | ------------------------ |
| `/apikeys/{KeyId}/origins` | GET    | List allowed origins     |
| `/apikeys/{KeyId}/origins` | POST   | Add an allowed origin    |
| `/apikeys/{KeyId}/origins` | DELETE | Remove an allowed origin |

```bash theme={null}
curl https://dev.api.nestapi.com/apikeys/YOUR_KEY_ID/origins \
  -X POST \
  -H "Authorization: Bearer YOUR_ADMIN_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "Origin": "https://app.example.com" }'
```

<Tip>
  For local development add your dev server's exact origin, e.g. `http://localhost:3000` —
  `http://localhost:3000`, `https://localhost:3000`, and `http://localhost:5173` are all
  distinct.
</Tip>

<Warning>
  Keep long-lived keys server-side. Never ship an unrestricted key in browser or mobile code.
</Warning>
