Authentication
In a nutshell
API keys identify your business in the Subscriptions Engine. They are not Nomba credentials and should only be used from trusted server-side environments.API key header
Protected endpoints require this header:Get an API key
Register your business:Security rules
- Keep API keys on your backend only.
- Never expose keys in frontend JavaScript, mobile binaries, or public repositories.
- Use HTTPS for all API calls and webhook endpoints.
- Rotate keys if they are leaked.
- The MCP server, when available, uses the same Subscriptions Engine API key model.
