Every request is authenticated with an API key sent in the X-API-Key header:
curl -s https://ndi-api.nace.ai/api/v1/jobs \
-H "X-API-Key: ndi_sk_..."
Keys start with the prefix ndi_sk_. They are issued by your Nace representative and are scoped to your organization (tenant): every job, uploaded file, and result belongs to the tenant whose key created it, and is invisible to every other tenant.
Handling your key
Treat the key like a password. Anyone holding it can start jobs, read your job history, and download your results.
- Store it in a secret manager or environment variable — never in source control, client-side code, or logs.
- Use one key per environment / integration so a leak can be revoked without breaking everything else.
- If a key is exposed, contact us immediately — revocation takes effect within minutes across all servers.
Failure modes
| Situation | Response |
|---|
| Header missing or malformed | 401 with error.code = "unauthorized" |
| Key unknown or revoked | 401 with error.code = "unauthorized" |
| Key valid but account disabled | 401 with error.code = "unauthorized" |
The response never distinguishes why a key was rejected — that is deliberate.
All error responses share one envelope; see Errors & limits.