API keys authenticate every request your agents and integrations make to the Nomotic API. This article covers creating keys, choosing the right scope, and keeping them secure.
Creating an API key
Go to Settings → API Keys → Create API Key. Give the key a descriptive name — something that identifies what it is used for, such as production-support-agent or ci-integration. Vague names like key1 make key management harder when you have multiple integrations.
Scopes
Every key has a scope that controls what it can do:
Agentic — for SDK integrations and governed agents. Can submit evaluations, read audit trail records, and update agent status. This is the right scope for agent integrations.
Write — can create and update agents, policies, and context profiles. For integrations that manage platform configuration.
Read — read-only access to evaluations, audit trail, and agent status. For analytics and reporting tools.
Admin — full access. For internal tooling and automation only.
Use the minimum scope required for each integration. An agent that only needs to submit evaluations should use the Agentic scope, not Admin.
Copying your key
When you create a key, the full value is shown exactly once. Copy it immediately and store it in a secrets manager or environment variable. Nomotic does not store the full key — only a hashed version for verification. If you lose a key, revoke it and create a new one.
Using your key
Include the key in the Authorization header of every API request:
Authorization: Bearer nm_live_your_key_hereNever put keys in source code or commit them to version control. Use environment variables.
Rotating keys
To rotate a key without downtime: create a new key with the same scope, update your integration to use the new key, verify it is working in your logs, then revoke the old key from Settings → API Keys. Revocation is immediate — any request using the revoked key receives a 401 response.
Rotate keys periodically and always after a team member with key access leaves your organization.