Authentication
The three ways to authenticate with the Nolixan API, and how each resolves an environment.
Nolixan accepts three authentication methods, tried in this priority order:
1. API-Key header (SDK / server-to-server)
A secret key (sk_…) that belongs to one environment and resolves it directly —
no JWT, no extra headers. This is what the SDKs use.
API keys carry grants that can restrict them to specific providers and actions — for example
providers: ["github"], actions: ["github/list-repos", "github/*"]. A key with no grants has full
access (legacy); a key with empty provider/action lists is an explicit deny-all.
2. Authorization: Bearer <JWT> + Environment-Id (dashboard / user session)
A user JWT plus an explicit environment. The environment must belong to the user's account.
3. Authorization: Bearer <JWT> alone (fallback)
A user JWT with no Environment-Id falls back to the user's first environment.
Which to use
Use an API-Key for agents, backends, and the SDKs. Use a JWT for browser sessions where a signed-in user acts inside a chosen environment. Public endpoints (the catalog) need no auth at all.