docs/api-reference/authentication.mdx
The Novu REST API uses API key authentication. Every server-side request must include your environment's secret key in the Authorization header.
Include your secret key in the Authorization header, prefixed with ApiKey:
--header 'Authorization: ApiKey <NOVU_SECRET_KEY>'
Example request:
curl -X GET https://api.novu.co/v1/subscribers \
--header 'Authorization: ApiKey <NOVU_SECRET_KEY>'
When using a server-side SDK, pass your secret key during initialization:
import { Novu } from '@novu/api';
const novu = new Novu({
secretKey: process.env.NOVU_SECRET_KEY,
});
Each Novu environment has two credentials. Use the right one for the context:
| Credential | Visibility | Used for |
|---|---|---|
| Secret key | Private | Authenticating REST API and server-side SDK requests |
| Application identifier | Public | Initializing the <Inbox /> component and client-side SDKs |
The secret key grants full administrative access to your environment. Never expose it in frontend code, public repositories, or browser network requests.
The application identifier is safe to use in client-side code. It identifies your application within Novu but does not authorize API requests on its own.
Each environment has its own secret key and application identifier. Use the credentials that match the environment you are targeting.
<Card title="API keys" icon="key" href="/platform/developer/api-keys"> Learn more about application identifiers, secret keys, and API hostnames. </Card>API keys are scoped to a single environment. Requests authenticated with a secret key only access resources in that environment.
When you regenerate a secret key in the dashboard, the previous key is invalidated immediately. Update your environment variables before rotating keys in production.
Use the base URL that matches your Novu Cloud region:
| Region | Base URL |
|---|---|
| US (default) | https://api.novu.co/v1 |
| EU | https://eu.api.novu.co/v1 |
When using the EU region, also configure the WebSocket hostname for real-time Inbox updates:
| Region | WebSocket URL |
|---|---|
| US (default) | wss://ws.novu.co |
| EU | wss://eu.socket.novu.co |
If authentication fails, the API returns a 401 Unauthorized response. Common causes:
Authorization headerVerify that your header uses the ApiKey prefix (not Bearer) and that the secret key matches the active environment.