API authentication
Generate, send, rotate, and revoke workspace API keys and partner install tokens.
Overview
This page covers how to authenticate with the Nimriz API: the key types Nimriz supports, where to generate them, how to send them, and how to keep them safe. For the broader auth model covering dashboard login, SSO, and session behavior, see Auth model.
Nimriz issues API credentials at the workspace level. Every key is tied to exactly one workspace, and it cannot reach data or settings in any other workspace.
Key types
| Type | Where you get it | What it can do |
|---|---|---|
| Workspace API key | Dashboard, Settings, Integrations, API access | Call link-management and analytics APIs for a single workspace |
| Partner install token | Connecting Nimriz inside Zapier, Make, or n8n | Drive the workspace endpoints the connected platform uses, nothing else |
Keys are service credentials. They belong to the workspace, not to the user who created them. When an admin leaves, their keys keep working until another admin rotates or revokes them.
Sending a key
Every link-management and analytics API call requires a key in one of these headers:
Authorization: Bearer <WORKSPACE_API_KEY>
X-Nim-Api-Key: <WORKSPACE_API_KEY>
Use the Authorization: Bearer form by default; it is the most widely supported across HTTP clients and SDKs.
Managing keys
To generate a workspace API key:
- Go to Dashboard, Settings, Integrations, API access.
- Click Generate API key, give it a descriptive name, and confirm.
- Copy the key from the one-time reveal dialog. Nimriz does not store the plaintext; if you lose it you must generate a new one.
To revoke a key:
- Open the same panel.
- Find the row for the key, click Revoke, and confirm.
Only workspace admins and owners can generate or revoke workspace API keys. Members and viewers can see that keys exist in the workspace but cannot create or modify them.
Partner install tokens
When you connect Nimriz inside Zapier, Make, or n8n, the platform issues a partner install token on your behalf. These tokens are workspace-scoped and are managed from the same API access panel, alongside your workspace API keys. Rotating or revoking a partner install token disconnects that platform connection; the platform prompts you to reconnect.
For platform-specific setup, see the Zapier, Make, and n8n guides.
Security rules
- Store keys in server-side environment variables only. Never embed a key in a browser bundle, a mobile app, a client-side script, or a public repository.
- Rotate keys immediately if you suspect compromise, and remove old keys from your Integrations panel.
- Use a dedicated key per integration or environment (staging, production) so you can revoke one without disrupting the others.
- Monitor your workspace's Recent activity and audit log for unexpected link creations or destination changes.
Common errors
| Response | Meaning |
|---|---|
401 Unauthorized | Missing or malformed Authorization header. Check the header name and that the key starts with the correct prefix. |
401 invalid_api_key | The key is not recognized. It may have been revoked, or the value may have been truncated or mistyped. |
403 api_key_account_mismatch | The key is valid but belongs to a different workspace than the resource you are addressing. Use a key from the correct workspace. |