X-API-Key

`X-API-Key` is the standard HTTP header for authenticating requests by application key. Unlike `Authorization: Bearer`, it doesn't imply an OAuth exchange and has no inherent expiration — the key lives until manually rotated. In Normadata, every API request must include the header: ``` X-API-Key: nd_live_aB3xF9pQrZ7nW2sT5vU8yK ``` Format: `nd_` (product prefix) + `live` or `test` (environment) + `_` + 22 base62 characters generated with a cryptographic PRNG. That structure delivers several useful properties: the prefix lets you visually identify a Normadata key, the environment prevents mixing production credentials with sandbox, and the 22 base62 characters give ~131 bits of entropy. Best practices: - Never put the key in the frontend (it's server-side only). - Always use HTTPS — `X-API-Key` travels in clear over HTTP. - Rotate keys periodically and on exposure. - Create separate keys per environment (dev/staging/prod) and per internal service. - Combine with IP allowlists where the use case allows. If the key is missing or invalid, the API responds `401 Unauthorized` with `code: "invalid_api_key"`. If revoked, `401` with `code: "key_revoked"`.