Nolixan

Authentication

The three ways to authenticate with the Nolixan API, and how each resolves an environment.

Nolixan accepts three authentication methods, tried in this priority order:

1. API-Key header (SDK / server-to-server)

A secret key (sk_…) that belongs to one environment and resolves it directly — no JWT, no extra headers. This is what the SDKs use.

API-Key: sk_prod_...

API keys carry grants that can restrict them to specific providers and actions — for example providers: ["github"], actions: ["github/list-repos", "github/*"]. A key with no grants has full access (legacy); a key with empty provider/action lists is an explicit deny-all.

2. Authorization: Bearer <JWT> + Environment-Id (dashboard / user session)

A user JWT plus an explicit environment. The environment must belong to the user's account.

Authorization: Bearer <jwt>
Environment-Id: 42

3. Authorization: Bearer <JWT> alone (fallback)

A user JWT with no Environment-Id falls back to the user's first environment.

Authorization: Bearer <jwt>

Which to use

Use an API-Key for agents, backends, and the SDKs. Use a JWT for browser sessions where a signed-in user acts inside a chosen environment. Public endpoints (the catalog) need no auth at all.

On this page