> ## Documentation Index
> Fetch the complete documentation index at: https://nombasub.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate server-side requests with tenant API keys.

# Authentication

## In a nutshell

API keys identify your business in the Subscriptions Engine. They are not Nomba credentials and should only be used from trusted server-side environments.

## API key header

Protected endpoints require this header:

```bash theme={null}
X-Api-Key: sub_xxx
```

Example:

```bash theme={null}
curl https://nombasub.oluwadunsin.dev/v1/plan/ \
  -H "X-Api-Key: sub_xxx"
```

## Get an API key

Register your business:

```bash theme={null}
curl -X POST https://nombasub.oluwadunsin.dev/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "businessName": "Acme SaaS",
    "accountId": "nomba_account_or_subaccount_id"
  }'
```

Or retrieve an existing key by account ID:

```bash theme={null}
curl -X POST https://nombasub.oluwadunsin.dev/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "accountId": "nomba_account_or_subaccount_id"
  }'
```

## Security rules

* Keep API keys on your backend only.
* Never expose keys in frontend JavaScript, mobile binaries, or public repositories.
* Use HTTPS for all API calls and webhook endpoints.
* Rotate keys if they are leaked.
* The MCP server, when available, uses the same Subscriptions Engine API key model.
