Skip to main content

Authentication

In a nutshell

API keys identify your business in the Subscriptions Engine. They are not Nomba credentials and should only be used from trusted server-side environments.

API key header

Protected endpoints require this header:
X-Api-Key: sub_xxx
Example:
curl https://nombasub.oluwadunsin.dev/v1/plan/ \
  -H "X-Api-Key: sub_xxx"

Get an API key

Register your business:
curl -X POST https://nombasub.oluwadunsin.dev/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "businessName": "Acme SaaS",
    "accountId": "nomba_account_or_subaccount_id"
  }'
Or retrieve an existing key by account ID:
curl -X POST https://nombasub.oluwadunsin.dev/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "accountId": "nomba_account_or_subaccount_id"
  }'

Security rules

  • Keep API keys on your backend only.
  • Never expose keys in frontend JavaScript, mobile binaries, or public repositories.
  • Use HTTPS for all API calls and webhook endpoints.
  • Rotate keys if they are leaked.
  • The MCP server, when available, uses the same Subscriptions Engine API key model.