> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nuvera.global/llms.txt
> Use this file to discover all available pages before exploring further.

# Create API Application

> Create a partner API application, signing key, permissions, and first one-time API key

Create API applications from the partner app under **Settings → Platform → API Applications**. Admins can use the organization hub for support, but the primary owner is the partner organization.

<Steps>
  <Step title="Open API Applications">
    In the partner app, open **Settings**, then **Platform**, then **API Applications**. Choose **Create API application**.
  </Step>

  <Step title="Name the application">
    Use a name that identifies the service or deployment that will hold the credential, such as `Treasury API` or `Payments worker
          production`.
  </Step>

  <Step title="Choose the signing key">
    Use one of the supported RSA public-key flows:

    * **Browser generation**: Nuvera generates an RSA key pair in the browser, downloads the private key locally, and saves only the public key.
    * **External key pair**: Generate a 2048-bit or stronger RSA key pair in your own key-management process and paste only the public key PEM.

    Nuvera never stores the private key.
  </Step>

  <Step title="Select permissions">
    Select only the permissions the service needs. If you select a write permission, keep the matching read permission enabled because write
    flows often need read-back and ownership checks.
  </Step>

  <Step title="Create and store the API key">
    After creation, Nuvera displays the secret API key one time. Store it immediately in the partner service secret manager. Existing raw API keys cannot be displayed later by partners or admins.
  </Step>
</Steps>

## Public key requirements

The public key must be an RSA SPKI PEM key with a modulus of at least 2048 bits:

```pem theme={null}
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
```

Do not paste a private key into the public-key field. Do not store private keys in source control, screenshots, tickets, docs, logs, or proof artifacts.

## One-time secret handling

The one-time API key is the value sent in `x-api-key`. After the dialog closes, Nuvera retains only:

* a keyed hash used for authentication,
* the key prefix,
* the last four characters,
* status,
* expiration or revocation metadata,
* last-used metadata.

If the key is lost before it is stored, create a replacement key and revoke the lost key.

## Admin support management

Admins can inspect the application, adjust permissions, disable or re-enable it, replace the signing public key, create a replacement API key, revoke a key, and delete the application. Admins still cannot reveal an existing raw key.

Use admin management only for support, emergency disablement, permission fixes, and partner-assisted rotation.