When to use API keys vs SDK credentials
| API Keys | SDK Credentials | |
|---|---|---|
| Auth method | Bearer token (nsl_...) | OAuth 2.0 client credentials |
| Endpoint | Console proxy (console.neuronsearchlab.com/api/...) | Core API (api.neuronsearchlab.com) |
| Rerank controls | Applied automatically | Not available |
| Use case | Testing, internal tools, proxy-based integrations | Production SDK integration |
Create an API key
- Navigate to Console > API Keys.
- Click New API Key.
- Enter a descriptive name (e.g. “Staging Backend”, “Internal Dashboard”).
- Select an environment tag for organisational purposes.
- Choose which scopes the key can access —
recommendations,events, oritems. - Click Create Key.
Authenticate requests
Include your API key as a Bearer token in theAuthorization header:
Key format
API keys follow the formatnsl_<prefix>_<token>:
nsl_— fixed prefix identifying a NeuronSearchLab key.<prefix>— 8-character identifier shown in the console for easy recognition.<token>— the full random token. Only the SHA-256 hash is stored server-side.
Scopes
Each key is restricted to specific API scopes:| Scope | Grants access to |
|---|---|
recommendations | GET /api/recommendations |
events | POST /api/events (coming soon) |
items | POST /api/items, PATCH /api/items/:id, DELETE /api/items (coming soon) |
403 Forbidden.
Revoke a key
- Navigate to Console > API Keys.
- Click Revoke on the key you want to deactivate.
Security practices
- One key per service or environment. Avoid sharing keys across applications.
- Tag keys with the correct environment to make auditing easier.
- Rotate keys periodically. Create a new key, deploy it, then revoke the old one.
- Never expose keys client-side. API keys are for server-to-server use only.