Create an API key
Nona read access is driven by API keys.
An API key is bound to one project and can also be limited by:
- environment
- scope
That means an API key is not just a password. It also expresses what kind of config the app should be allowed to read.
Pick the smallest scope that works
Section titled “Pick the smallest scope that works”- use
clientfor frontend and mobile apps - use
serverfor backend-only reads - use
allonly when both are required
In practice:
- a React Native app usually starts with a
clientkey - a backend worker usually starts with a
serverkey allis best reserved for cases where both sides genuinely need the same values
Environment scoping
Section titled “Environment scoping”If possible, scope the key to the environment it actually needs.
For example:
- mobile production app ->
production - staging web app ->
staging - backend service in production ->
production
This reduces accidental cross-environment reads and keeps access narrower.
Recommended first key
Section titled “Recommended first key”For a simple first test, create a project-scoped key, limit it to production if that is your target environment, and match the key scope to the config entry scope.
In admin
Section titled “In admin”- open
Projects - open the target project
- find the
API Keyssection near the top of the project page - enter a key name
- choose the scope
- optionally choose an environment such as
production - click
Create - copy the generated key value before you leave the page
The same section lets you reveal, copy, and delete existing keys.
With the CLI
Section titled “With the CLI”Create a scoped key:
nona keys create \ --project storefront \ --name "Web app" \ --scope client \ --environment productionList keys for the same project:
nona keys list --project storefrontnona keys show --project storefront also works.
Delete a key when it is no longer needed:
nona keys delete --project storefront --id 42A simple decision guide
Section titled “A simple decision guide”| App type | Suggested first scope |
|---|---|
| Web frontend | client |
| Mobile app | client |
| Backend API | server |
| Shared backend + frontend read path | all |
Security habits
Section titled “Security habits”- store API keys in your secrets system or environment variables
- do not hardcode them in source code
- do not give frontend apps a broader scope than they need
- rotate keys when your access model changes
- prefer creating a new narrowly scoped key over reusing one broad key everywhere
Validate the key
Section titled “Validate the key”After creating a key, test one real read:
curl "https://nona.example.com/api/production/Features%3ACheckout" \ -H "X-Api-Key: <your-api-key>"If the read fails, check the three most common causes first:
- wrong project
- wrong environment
- wrong scope for the entry you are trying to read
API key FAQ
Section titled “API key FAQ”Should I create one broad key for everything?
Section titled “Should I create one broad key for everything?”No.
It is better to create a narrowly scoped key for each real application read surface than to reuse one broad key everywhere.
Should frontend apps use all scope?
Section titled “Should frontend apps use all scope?”Usually no.
Frontend and mobile apps should usually start with client unless there is a real reason they need broader access.
Do I need a separate key per environment?
Section titled “Do I need a separate key per environment?”Often yes.
Environment scoping is a useful way to avoid accidental cross-environment reads and to keep access narrower.
What should I do if a key works in admin but not in the app?
Section titled “What should I do if a key works in admin but not in the app?”Check the project, environment, and scope alignment first.
Those are the most common reasons a read fails after the key is created.