Nexus ERP / Docs

API keys

Create, manage, and revoke keys for the public REST API.

API keys let scripts and integrations talk to your organisation's data through the public REST API. Keys are scoped: each one carries its own permissions and (optionally) an expiry date.

Creating a key

  1. Open Dashboard → Developer.
  2. Click New key (top-right).
  3. Fill in:
    • Key name, a label for you, e.g. "Zapier, leads sync". 1–100 characters, required.
    • Permissions, tick the boxes for what the key can do. Currently covers Leads (read, create, update, delete). Default: all unticked.
    • Expiry, optional. If set, the key stops working after that date.
  4. Click Create key.

A modal appears showing the raw key, masked by default. Click the eye icon to reveal, then Copy it.

You only see the raw key once

We never store the plaintext, only a SHA-256 hash. If you lose the key, you can't recover it, you'll need to make a new one. Save it in your password manager or your CI's secret store before closing the dialog.

Using a key

Send it as a Bearer token in the Authorization header:

Authorization: Bearer sk_xxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The first 14 characters (sk_xxxxxxxx_...) are your key prefix, you'll see this on the keys list, in the audit log, and in error messages. The prefix alone can't be used to authenticate.

Editing a key

Click the row in the keys list. You can change:

  • Name, relabel the key any time.
  • Permissions, tick / untick boxes.

You can't change the expiry once a key is created.

Revoking a key

Two options:

  • Revoke, marks the key inactive. Requests with it will get a 401. The key stays in the list for audit purposes.
  • Delete, permanently removes the key. Once deleted there's no history of it ever existing (apart from audit log entries).

Revoke first when in doubt, it's reversible (we can re-activate). Delete only when you're sure.

Temp keys from the docs playground

When you click Generate test token on an API endpoint page in the docs, the system creates a 1-hour key on your behalf, named "Docs playground (temp)". These show up in the same keys list, scoped to leads CRUD, and auto-expire. Revoke them early if you're worried.

Permissions you'll need

You need Developer permission, plus the Developer API feature flag enabled on your org. The feature flag is enabled by your platform admin, it's not self-serve.