Skip to main content
API keys authenticate external apps that connect to NoClick through the TypeScript or Python SDK. A key acts on behalf of your account, limited by its permissions and workflow scope.

Create a key

1

Open Developer settings

In the NoClick dashboard, go to Settings and open the Developer section.
2

Name the key

Enter a Key Name that identifies where you’ll use it, for example “My Dashboard App”.
3

Pick a scope

Leave the Scope dropdown on All workflows, or select a single workflow to restrict the key to it.
4

Create and copy

Click Create. The new key appears once in a banner. Copy it now; only a hash is stored, so it cannot be shown again.
The Developer settings page with the key creation form and key list

Key format

PartExampleDescription
Prefixnk_live_Identifies NoClick API keys
Secreta1b2c3d4e5f6...64 hex characters
The key list in Developer settings shows only the first 12 characters of each key for identification.

Permissions

Every SDK call is checked against the key’s permissions:
PermissionAllows
readList workflows, read node outputs and configs, read workflow state, list credentials, download resources, read dataset rows, list runs
executeRun and stop workflows
writeCreate, update, and delete workflows; set node configs; write workflow state; manage credentials; upload resources; modify datasets
Keys created in Developer settings get all three permissions. To mint a key with fewer permissions, call the REST endpoint below with a narrower permissions list.

Workflow scoping

A key scoped to one workflow rejects any request that targets a different workflow. Use scoped keys when an external app only needs one workflow, so a leaked key cannot touch the rest of your account.
Publishing an app mints its own workflow-scoped key automatically. These keys are managed by NoClick, hidden from your key list, and revoked when you unpublish.

Use a key

import { init } from 'noclick';

await init({ apiKey: 'nk_live_...' });

import noclick

sdk = noclick.Client(api_key="nk_live_...")
await sdk.connect()
See External apps for the full connection guide.

Manage keys over REST

Developer settings is backed by a small REST surface at https://api.noclick.io that you can call directly. These endpoints authenticate with your NoClick browser session cookie, not with an API key.
MethodPathPurpose
POST/api/keysCreate a key. Body: name, optional workflow_id, optional permissions (defaults to ["read", "execute", "write"]). Returns raw_key once.
GET/api/keysList your keys with name, prefix, scope, permissions, created and last-used timestamps, and revocation status.
DELETE/api/keys/{key_id}Revoke a key.

Revoke a key

Click the trash icon next to a key in Developer settings. Revocation takes effect immediately; the next request with that key is rejected. Revoked keys stay visible under Show revoked keys for reference.

Security

  • Keys are hashed (SHA-256) at rest. The raw key is shown once at creation and never stored.
  • Treat keys like passwords: keep them in environment variables, never in source control or client-side code.
  • Scope keys to a single workflow whenever possible.
  • Check the “Last used” date in the key list and revoke keys you no longer need.

Next steps

External apps

Connect a TypeScript or Python app to NoClick over WebSocket.

API reference

Every SDK namespace and method.