API keys
Long-lived credentials for programmatic access.
Not verified yet
API keys are the right credential for applications calling Norcube – fixed secrets you embed in your service, not user-bound tokens that expire.
Today
- LangSync has API keys. Create them in LangSync → API keys in app.norcube.com. See LangSync → Manage API keys.
- Backup, DomainRadar, and PromptHub don't have API keys yet. Use a service-account user with a stored refresh token, refreshed programmatically. See Tokens → Mint an org-scoped token.
Cross-product API keys (a single key with access to multiple products in your org) are on the roadmap.
Usage shape (LangSync)
Authorization: Apikey <your-api-key>The Bearer scheme is also accepted with the same key value.
Best practices
- One key per application. Easier to rotate and revoke than a shared one.
- Store keys in a secret manager (AWS Secrets Manager, GCP Secret Manager, Vault, GitHub Actions secrets, your hosting provider's environment variables). Never commit keys to a repo.
- Rotate periodically. Create a new key, deploy it, watch the Last used timestamp on the old key, then delete the old key.
- Revoke immediately on leak. Revocation is instant – any request
using a revoked key fails with
401.
Behaviour and edge cases
- API keys are organization-scoped. They can act on any resource in the org. There are no per-namespace or per-resource scopes today.
- The full key value is shown only once at creation. Save it where your application can read it; afterwards only a preview is shown in the dashboard.
- Keys don't expire on their own. Rotate manually.
- Revoked keys can't be restored. Issue a new one if you revoke by mistake.