nXus uses API keys passed via the Authorization request header as Bearer tokens to authenticate all requests.
Every request to the nXus API must include your API key in the Authorization header as a Bearer token. Keys are scoped to an organization and optionally to a specific environment (development or production).
import { NxusClient, NxusApiError, type Vendor, type PaginatedPage } from '@nxus/sdk';
const nxus = new NxusClient({ apiKey: process.env.NXUS_API_KEY });
try {
const result: PaginatedPage<Vendor> = await nxus.vendors.list({
connectionId: 'conn_abc123',
limit: 50
});
console.log(result.data);
} catch (err) {
if (err instanceof NxusApiError) {
console.error(`API Error: ${err.userMessage}`);
console.log(err.validationErrors);
}
}Security Best Practice
Keep your keys secret. Never expose API keys in client-side JavaScript, public repos, or logs. Rotate any key you believe has been compromised immediately from the dashboard.
| Name | Type | Description |
|---|---|---|
| Test | sk_test_... | Use with QuickBooks sample files only. Available on the free tier. |
| Live | sk_live_... | Use with real company files. Requires a production plan. |
Create, view, revoke, and rotate keys from the dashboard under Settings -> API Keys.
API-key management is no longer part of the public API reference. Those operations are handled by the authenticated dashboard and our internal platform client instead of public API requests.
Keys can be configured with an optional expiry date. After expiry, requests return a 401 Unauthorized response. Plan ahead and rotate before expiry using the rotate endpoint or the dashboard.
nXus error responses are designed for both developers and operators: machine-readable enough for apps to handle automatically, and human-readable enough to explain what to do next.
Applications can inspect the same predictable error shape instead of special-casing every endpoint.
User-facing text stays understandable for operators while still preserving the technical context developers need.
The most common failures map cleanly to concrete fixes like rotating a key, reopening QuickBooks, or correcting a payload.
{
"error": {
"code": "api_key_invalid",
"type": "authentication_error",
"message": "The provided API key is invalid or has been revoked.",
"userFacingMessage": "Your API key is no longer valid. Create or rotate a key and try again.",
"httpStatusCode": 401
}
}The API key is missing, invalid, expired, or revoked.
Recommended fix: Confirm the Bearer token, verify the environment, and rotate the key if needed.
Retry guidance: Retry only after updating credentials.
View full error docsHandling Strategy
Prefer `error.userFacingMessage` when present for operator-visible UI. If the backend returns standard problem details instead, fall back to `detail`, then `title`, and only then to a generic message.