Skip to main content
Nuvera exposes the REST API layer only to partner organizations. A partner API application is a server-to-server credential set owned by one partner workspace and scoped by explicit permissions. The production integration flow is:
  1. Create an API application in the partner settings area.
  2. Generate or upload an RSA public signing key.
  3. Select only the REST permissions the service needs.
  4. Store the one-time API key in the partner secret manager.
  5. Sign every REST request with the matching private key.
  6. Use the generated API reference pages for endpoint schemas.
  7. Rotate API keys and signing keys through the application management screens.

Access model

Partner users manage their own API applications under Settings → Platform → API Applications. Nuvera admins can inspect and manage the same applications from the admin organization hub only for support, emergency disablement, permission fixes, and partner-assisted rotation. Customer-platform users cannot create or use REST API applications.

Credential model

Each application has two credential layers:
  • x-api-key: a one-time secret API key. Nuvera stores only the hash, prefix, last four characters, status, and usage metadata.
  • RS256 request signature: a JWT signed by the partner-held RSA private key. Nuvera stores the public key and verifies each request.
Nuvera does not store partner private keys. Private keys are generated or stored by the partner. If the browser generates a key pair, the private key is downloaded locally and the public key is saved to Nuvera.

Permissions

Every REST handler has an explicit permission. Write permissions require the matching read permission where the resource has both read and write operations.
AreaRead permissionWrite permission
CustomersCUSTOMERS_READCUSTOMERS_WRITE
BeneficiariesBENEFICIARIES_READBENEFICIARIES_WRITE
DocumentsDOCUMENTS_READDOCUMENTS_WRITE
Crypto reference dataCRYPTO_READNot applicable
PaymentsPAYMENTS_READPAYMENTS_WRITE
ScreeningSCREENING_READNot applicable
SupportSUPPORT_READSUPPORT_WRITE

Request requirements

Every REST call must include:
x-api-key: <your-api-key>
Authorization: Bearer <signed-request-jwt>
The JWT must use RS256, issuer nuvera-api, audience nuvera-rest-api, a lifetime of 60 seconds or less, a unique jti, and claims for the exact request method, URI, and body hash.

Create an application

Set up keys, permissions, and the one-time API key.

Sign requests

Generate the JWT for JSON and multipart requests.

Rotate keys

Replace API keys and signing keys safely.