Develop

API keys

Create, scope, and rotate API keys for SDK, CLI, and webhook signing.

Test and live modes

Every API key is in either test or live mode. Test mode has its own marketplace, balance, and webhook secret; nothing crosses over.

Prefix	Mode	Charges	Webhook secret
`nd_test_…`	Test	None — Stripe test cards only	`whsec_test_…`
`nd_live_…`	Live	Real charges and payouts	`whsec_live_…`

Create a key

Generate keys at Dashboard → API keys. Each key has a name, mode, scope set, and optional expiry. The secret is shown once at creation — copy it immediately and store it in a secrets manager.

Try it right away by calling /v1/me:

bash

curl https://api.nodedata.dev/v1/me \
  -H "Authorization: Bearer nd_test_..."

Restricted (scoped) keys

Default keys can perform any action your account can. Restricted keys narrow that surface. Use them for CI, edge devices, and any environment that does not need full account access.

bash

node-data keys create \
  --name "ci-deploys" \
  --mode live \
  --scope "models:read" \
  --scope "models:upload" \
  --expires 90d

Available scopes

models:read — list and download licensed models
models:upload — create and update models you own
datasets:read / datasets:upload
listings:read / listings:write
payouts:read — read-only access to revenue
deploy:write — create and update deployments
webhooks:write — configure webhook endpoints

Rotation

Rotate keys at least every 90 days, immediately after a teammate offboards, or any time a key is suspected to be compromised. The safe pattern is to overlap: create the new key, deploy it, then revoke the old one.

python

# Issue a new key and overlap-rotate
new_key = node.keys.create(name="ci-deploys-2026q3", mode="live")

# Deploy new key to production secrets
# ...

node.keys.revoke("nd_live_oldkey1234")

Never commit secrets

Node Data scans newly created public listings for embedded credentials and revokes detected keys automatically. If a key is auto-revoked the account owner receives an email within five minutes.

Storing keys

Local dev: .env.local, never .env tracked in git
CI: secrets manager (GitHub Actions secrets, Vercel env, AWS Secrets Manager)
Edge devices: write-once secrets in a TPM, then reference by handle

Prefix

Mode

Charges

Webhook secret

nd_test_…

Test

None — Stripe test cards only

whsec_test_…

nd_live_…

Live

Real charges and payouts

whsec_live_…

Create a key

Generate keys at Dashboard → API keys. Each key has a name, mode, scope set, and optional expiry. The secret is shown once at creation — copy it immediately and store it in a secrets manager.

Try it right away by calling /v1/me:

bash

curl https://api.nodedata.dev/v1/me \
  -H "Authorization: Bearer nd_test_..."

Restricted (scoped) keys

Default keys can perform any action your account can. Restricted keys narrow that surface. Use them for CI, edge devices, and any environment that does not need full account access.

bash

node-data keys create \
  --name "ci-deploys" \
  --mode live \
  --scope "models:read" \
  --scope "models:upload" \
  --expires 90d

Available scopes

models:read — list and download licensed models

models:upload — create and update models you own

datasets:read / datasets:upload

listings:read / listings:write

payouts:read — read-only access to revenue

deploy:write — create and update deployments

webhooks:write — configure webhook endpoints

Rotation

python

# Issue a new key and overlap-rotate
new_key = node.keys.create(name="ci-deploys-2026q3", mode="live")

# Deploy new key to production secrets
# ...

node.keys.revoke("nd_live_oldkey1234")

Never commit secrets

Node Data scans newly created public listings for embedded credentials and revokes detected keys automatically. If a key is auto-revoked the account owner receives an email within five minutes.