Skip to main content
Create API applications from the partner app under Settings → Platform → API Applications. Admins can use the organization hub for support, but the primary owner is the partner organization.
1

Open API Applications

In the partner app, open Settings, then Platform, then API Applications. Choose Create API application.
2

Name the application

Use a name that identifies the service or deployment that will hold the credential, such as Treasury API or Payments worker production.
3

Choose the signing key

Use one of the supported RSA public-key flows:
  • Browser generation: Nuvera generates an RSA key pair in the browser, downloads the private key locally, and saves only the public key.
  • External key pair: Generate a 2048-bit or stronger RSA key pair in your own key-management process and paste only the public key PEM.
Nuvera never stores the private key.
4

Select permissions

Select only the permissions the service needs. If you select a write permission, keep the matching read permission enabled because write flows often need read-back and ownership checks.
5

Create and store the API key

After creation, Nuvera displays the secret API key one time. Store it immediately in the partner service secret manager. Existing raw API keys cannot be displayed later by partners or admins.

Public key requirements

The public key must be an RSA SPKI PEM key with a modulus of at least 2048 bits: 
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
Do not paste a private key into the public-key field. Do not store private keys in source control, screenshots, tickets, docs, logs, or proof artifacts.

One-time secret handling

The one-time API key is the value sent in x-api-key. After the dialog closes, Nuvera retains only:
  • a keyed hash used for authentication,
  • the key prefix,
  • the last four characters,
  • status,
  • expiration or revocation metadata,
  • last-used metadata.
If the key is lost before it is stored, create a replacement key and revoke the lost key.

Admin support management

Admins can inspect the application, adjust permissions, disable or re-enable it, replace the signing public key, create a replacement API key, revoke a key, and delete the application. Admins still cannot reveal an existing raw key. Use admin management only for support, emergency disablement, permission fixes, and partner-assisted rotation.