Authentication
How to authenticate with Noukai — JWT tokens for the web app, API keys for server-to-server calls.
Noukai uses two authentication methods depending on the context.
Authentication Methods
| Method | Use Case | Header Format |
|---|---|---|
| JWT Token | Web app sessions, dashboard | Authorization: Bearer <supabase_jwt> |
| API Key | Server-to-server, flow execution, production | Authorization: Bearer nk_live_... |
| OAuth 2.1 | MCP clients (Claude Code, Cursor) | Browser sign-in, automatic |
For flow execution and server-to-server calls, use API keys. For MCP tool access, use OAuth — Claude Code handles this automatically when you add the server.
API Keys
Format
| Part | Example | Description |
|---|---|---|
| Prefix | nk | Identifies as a Noukai key |
| Environment | live or test | Production or sandbox |
| Key ID | Ab12CdEf | 8-character identifier |
| Secret | your32charsecret... | 32-character secret (shown once) |
Creating a Key
- Go to Project Settings → API Keys
- Click Create Key
- Choose environment:
live(production) ortest(sandbox) - Name your key (e.g., "Production Server")
- Copy the full key immediately
The secret is shown once at creation. If lost, revoke the key and create a new one.
Using a Key
Pass the full key in the Authorization header:
Limits
- Maximum 10 active keys per project
- Keys can be revoked instantly (propagates within 30 seconds)
- Optional expiration date at creation
Security Best Practices
- Never commit keys to version control
- Use environment variables:
NOUKAI_API_KEY=nk_live_... - Use
testkeys during development,livekeys in production - Rotate keys periodically
- Revoke compromised keys immediately via the dashboard
Scoping
Each API key is scoped to a single project within an organization. A key for project A cannot access flows in project B.
If you need to access multiple projects, create a key per project.