Authentication

API keys are used to authenticate all requests to the noro API. keys have the format:

noro_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

the noro_ prefix followed by 32 alphanumeric characters.

create a new API key by calling the keys endpoint:

curl -X POST https://noro.sh/api/v1/keys

response:

{
  "key": "noro_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
  "expires": 1714000000000
}

optionally, include a webhook URL to receive notifications:

curl -X POST https://noro.sh/api/v1/keys \
  -H "Content-Type: application/json" \
  -d '{"webhook":"https://example.com/webhook"}'

API keys expire after 90 days by default. the expires field in the response is a unix timestamp in milliseconds.

check your key's expiration date:

curl https://noro.sh/api/v1/keys \
  -H "Authorization: Bearer noro_..."

generate a new key before expiration to avoid service interruption.

delete your API key if it's compromised or no longer needed:

curl -X DELETE https://noro.sh/api/v1/keys \
  -H "Authorization: Bearer noro_..."

change or remove the webhook URL for your key:

curl -X PATCH https://noro.sh/api/v1/keys \
  -H "Authorization: Bearer noro_..." \
  -H "Content-Type: application/json" \
  -d '{"webhook":"https://new-url.com/webhook"}'

set webhook to empty string to remove it.

include your API key in the Authorization header with the Bearer scheme:

Authorization: Bearer noro_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

example request:

curl https://noro.sh/api/v1/secrets/abc123 \
  -H "Authorization: Bearer noro_..."

• •store keys securely in environment variables
• •never commit keys to version control
• •rotate keys periodically
• •use separate keys for different environments

API requests are rate limited to prevent abuse:

• •100 requests per minute per API key
• •sliding window algorithm
• •returns 429 when exceeded

responses include rate limit headers:

x-ratelimit-limit: 100
x-ratelimit-remaining: 99
x-ratelimit-reset: 1706000060000
x-request-id: req_abc123...