Skip to Content
DashboardAPI Keys

API Keys

API keys enable CLI authentication in non-interactive environments like CI/CD pipelines.

Key Format

Keys follow the format:

nrx_<base64_random_bytes>

Example: nrx_Ks7dF2xW9bT3mN...

The first 12 characters (prefix) are stored for display. The full key is hashed for secure lookup.

Creating API Keys

From Dashboard

  1. Go to Dashboard → Settings → API Keys
  2. Click Create API Key
  3. Enter a name (e.g., “GitHub Actions”, “Jenkins”)
  4. Select scopes:
    • build: Create and manage builds
    • submit: Submit apps to stores
    • update: Publish OTA updates
  5. Optionally set expiration (days)
  6. Click Create
  7. Copy the key immediately. It won’t be shown again

Important

The full API key is only displayed once at creation. If you lose it, you’ll need to create a new key.

Using API Keys

Environment Variable

Set NORRIX_API_KEY in your environment:

export NORRIX_API_KEY=nrx_abc123...

CI/CD Secrets

Add to your CI platform’s secrets:

PlatformLocation
GitHubSettings → Secrets → Actions
GitLabSettings → CI/CD → Variables
CircleCIProject Settings → Environment Variables
JenkinsCredentials

Usage

The CLI automatically uses NORRIX_API_KEY if set:

norrix build ios release -n

Scopes

ScopePermissions
buildCreate builds, check status, download artifacts
submitSubmit apps to stores, check submission status
updatePublish OTA updates, check update status

Default Scopes

New keys include all scopes by default: build, submit, update.

Least Privilege

Create keys with only necessary scopes:

  • Build-only key for build servers
  • Update-only key for OTA deployment

Managing Keys

View Keys

Dashboard → Settings → API Keys shows:

  • Key name
  • Key prefix (first 12 chars)
  • Scopes
  • Last used
  • Expiration
  • Created by

Revoking Keys

  1. Find the key in the list
  2. Click Revoke
  3. Confirm revocation

Effects:

  • Key is immediately invalidated
  • Any active requests will fail
  • Key remains in list as “revoked”

Who Can Revoke

  • Owners can revoke any key
  • Admins can revoke their own keys
  • Members can’t manage API keys

Key Expiration

Setting Expiration

When creating a key, optionally set expiration in days.

Expired Keys

Expired keys:

  • Can’t authenticate
  • Remain in the list
  • Show “expired” status

No Expiration

Keys without expiration never expire. Best for production CI/CD pipelines with proper secret rotation.

Security Best Practices

Rotate Keys Regularly

  • Rotate keys periodically (e.g., quarterly)
  • Revoke old keys after confirming new ones work

Separate Keys

Create separate keys for:

  • Different CI/CD pipelines
  • Different environments (staging, production)
  • Different team members

Least Privilege

Only grant scopes that are needed:

# Build-only key for build server
Scopes: [build]
 
# Deploy key for release pipeline
Scopes: [submit, update]

Audit Usage

Review lastUsedAt to identify:

  • Unused keys (candidates for removal)
  • Unexpected usage patterns

Revoke Compromised Keys

If a key is exposed:

  1. Revoke immediately
  2. Create new key
  3. Update CI secrets
  4. Review recent activity
Organizations & TeamsWeb Interface