Nyman Media
§ docs

API keys

API keys authenticate every call to the public REST API and the CLI. They are scoped to a single user and inherit that user's Premium entitlement.

Creating a key

  1. Go to Account settings → API access on the web app.
  2. Click Create key and give it a descriptive name (e.g. GitHub Actions · prod).
  3. Copy the full secret. It starts with nmav_live_ and is shown only once. If you lose it, revoke the key and create a new one.

Storing keys safely

  • Treat a key like a password. Never commit one to git or paste it into a shared document.
  • In CI, store the key as a masked/secret variable (GitHub Actions Secrets, GitLab protected variables, CircleCI contexts).
  • On a developer machine, run nmav login. The CLI writes the key to ~/.config/nmav/config.json with mode 0600.
  • The server stores only a SHA-256 hash of the secret plus the first 12 characters for display. We cannot recover the full key if you lose it.

Rotation

Rotate keys periodically, or any time a teammate with access leaves:

  1. Create a new key.
  2. Update the CI secret / local config to the new key.
  3. Verify a successful audit runs with the new key.
  4. Revoke the old key from the same settings screen.

Revoking

Click Revoke next to a key on the settings page. Revocation takes effect on the next request: revoked keys return 401 Unauthorized. There is no undo; create a new key if you revoked one by mistake.

What happens when a subscription ends

Keys are not deleted when a user downgrades or cancels. The API simply starts returning 402 Payment Required. Resubscribing restores access without needing to re-issue keys. If you do not plan to resubscribe, revoke any unused keys.

Monitoring usage

The settings page shows each key's last_used_at timestamp. If a key you thought was idle shows recent activity, or vice versa, investigate and rotate immediately.