Authentication

API keys

Every request must be authenticated with an API key. Keys are created in the dashboard under API Keys, begin with the prefix nbh_, and are tied to your account’s prepaid wallet. The full key is shown only once at creation — we store only a SHA-256 hash and cannot recover it later.

Passing your key

You can authenticate using either header — both are equivalent:

• Authorization: Bearer nbh_... (recommended; works with OpenAI SDKs out of the box)
• X-API-Key: nbh_...

curl https://api.nabh.cloud/v1/chat/completions \
  -H "Authorization: Bearer nbh_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{ "model": "mistral-7b-instruct", "messages": [{"role":"user","content":"Hi"}] }'

Key management

• Multiple keys — create separate keys per app or environment. Limits are 1 (Free), 5 (Developer), and 50 (Pro).
• Expiry — set an optional expiry date; the key stops working automatically after it.
• IP whitelisting — restrict a key to specific IP addresses or CIDR ranges. Requests from other IPs are rejected with IP_NOT_ALLOWED.
• Revocation — deactivate a key instantly from the dashboard if it is compromised.

Keeping keys safe

• Never embed keys in client-side code, mobile apps, or public repositories.
• Call the API from your backend and keep keys in environment variables or a secrets manager.
• Rotate keys periodically and revoke any key you suspect is leaked — all usage on a key is billed to your wallet.

Authentication errors

A missing, malformed, expired, or revoked key returns 401 AUTHENTICATION_ERROR:

{
  "error": {
    "code": "AUTHENTICATION_ERROR",
    "message": "Missing or invalid API key"
  }
}