Authentication

Every request to the Xora API must be authenticated. You can use an API key (for programmatic access) or a Clerk session (for the dashboard UI).

API keys

API keys start with nte_ and are 52 characters long. You create them in the dashboard and they’re shown only once — copy the full key when it’s displayed.

Sending your key

You can pass your API key in either of two headers:

cURL (Authorization)

curl https://api.xora.sh/v1/jobs \
  -H "Authorization: Bearer nte_your_api_key_here"

cURL (X-API-KEY)

curl https://api.xora.sh/v1/jobs \
  -H "X-API-KEY: nte_your_api_key_here"

Node.js

const response = await fetch('https://api.xora.sh/v1/jobs', {
  headers: {
    'Authorization': 'Bearer nte_your_api_key_here'
  }
});

Python

import requests

response = requests.get(
    "https://api.xora.sh/v1/jobs",
    headers={
        "Authorization": "Bearer nte_your_api_key_here"
    }
)

Both methods are equivalent. Use whichever fits your HTTP client best.

Creating a key

1. Sign in at xora.sh/app
2. Go to Dashboard → Tokens
3. Click Create Token and give it a name (e.g., “Production API”)
4. Copy the full key immediately — it won’t be shown again

Revoking a key

In Dashboard → Tokens, click the delete button next to any key. Once revoked, all requests using that key will receive a 401 response immediately.

Caution

Revoking a key is instant and irreversible. Any running integrations using that key will stop working.

Dashboard sessions

The web dashboard at /app uses Clerk for authentication. When you interact with the dashboard, it calls /api/v1/* on xora.sh (same origin) using your Clerk session cookie — no API key needed.

Programmatic clients should use https://api.xora.sh/v1 with an API key.

Error responses

If authentication fails, the API returns a 401 status with this JSON body:

{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Authentication required. Provide a valid Bearer token or sign in via the dashboard.",
    "retryable": false
  }
}

Common causes:

• Missing Authorization or X-API-KEY header
• Key doesn’t start with nte_
• Key has been revoked
• Key was copy-pasted incorrectly (check for trailing spaces)

CORS

Browser requests are allowed from the configured dashboard origin (set via XORA_PUBLIC_ORIGIN). If CORS is not configured, all origins are allowed.

The API accepts these headers in cross-origin requests:

• Authorization
• Content-Type
• X-API-KEY

Security best practices

Tip

• Never expose keys in client-side code. Call the Xora API from your backend server, not from browser JavaScript.
• Use separate keys for development, staging, and production.
• Rotate keys periodically. Create a new key, update your integration, then revoke the old one.
• Name your keys descriptively (e.g., “CI Pipeline”, “Production Backend”) so you know what to revoke if one leaks.