Authentication - NxVET API

Overview

NxVET uses API Key authentication for programmatic access to the REST API. API keys provide secure, organization-scoped access to NxVET data.

Key Features

Organization-scoped: Each key is bound to a single organization
Instant revocation: Revoked keys are immediately invalidated
Optional expiration: Set an expiry date or create keys that never expire
Usage tracking: Last-used timestamps for auditing
Self-service: Create and manage keys through the NxVET Integrations page

Quick Start

Get up and running in under 2 minutes:

Generate an API key in the NxVET Integrations page → API Keys tab
Copy the key immediately (it's shown only once!)
Make your first API call:

curl -H "Authorization: Bearer nxvet_sk_YOUR_API_KEY" \
  "https://app.nx.vet/api/devices?organizationId=YOUR_ORG_ID&limit=10"

const response = await fetch(
  'https://app.nx.vet/api/devices?organizationId=YOUR_ORG_ID&limit=10',
  {
    headers: {
      'Authorization': 'Bearer nxvet_sk_YOUR_API_KEY'
    }
  }
);

const devices = await response.json();
console.log(devices);

import requests

response = requests.get(
    'https://app.nx.vet/api/devices',
    params={'organizationId': 'YOUR_ORG_ID', 'limit': 10},
    headers={'Authorization': 'Bearer nxvet_sk_YOUR_API_KEY'}
)

devices = response.json()
print(devices)

Success! A 200 OK response with a list of devices confirms your API key is working correctly.

Getting API Keys

Prerequisites

A NxVET account with organization owner or NxVET admin role
At least one organization associated with your account

Creating a Key via the UI

Log in to app.nx.vet
Navigate to the Integrations page → API Keys tab
Click "Create API Key"
Enter a descriptive name (e.g., "Production Integration")
Select the organization this key should access
Optionally set an expiration date
Click Create

Important: The full API key is displayed only once after creation. Copy it immediately and store it securely. If lost, you must create a new key.

Creating a Key via the API

You can also create keys programmatically (requires an existing authenticated session):

curl -X POST "https://app.nx.vet/api/api-keys" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production Integration",
    "organizationId": "YOUR_ORG_ID",
    "expiresAt": "2027-01-01T00:00:00Z"
  }'

Response:

{
  "id": "019e1234-5678-7000-abcd-123456789abc",
  "name": "Production Integration",
  "keyPrefix": "nxvet_sk_a1b2c3d4...",
  "key": "nxvet_sk_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
  "organizationId": "0185644d-9383-7000-b35d-6e31e1158b43",
  "createdAt": "2026-02-20T17:45:00Z",
  "expiresAt": "2027-01-01T00:00:00Z"
}

Using API Keys

Authorization Header

Include your API key in the Authorization header of every request:

Authorization: Bearer nxvet_sk_YOUR_API_KEY

Error Responses

Status	Meaning	Action
`401`	Invalid, revoked, or expired API key	Check your key is correct and has not been revoked
`403`	Insufficient permissions (e.g., wrong organization)	Verify your key has access to the requested resource
`429`	Rate limited	Reduce request frequency and retry after a delay

Key Management

Listing Keys

View all your API keys (full keys are never shown after creation):

curl -H "Authorization: Bearer nxvet_sk_YOUR_API_KEY" \
  "https://app.nx.vet/api/api-keys"

Each key in the response includes:

keyPrefix — First 8 characters for identification (e.g., nxvet_sk_a1b2c3d4...)
lastUsedAt — Timestamp of last API request
isRevoked — Whether the key has been revoked
expiresAt — Expiration date (null if no expiration)

Revoking Keys

Revoke a key immediately. This cannot be undone.

curl -X DELETE -H "Authorization: Bearer nxvet_sk_YOUR_API_KEY" \
  "https://app.nx.vet/api/api-keys/KEY_ID"

Returns 204 No Content on success. All subsequent requests using the revoked key will receive 401 Unauthorized.

Security Best Practices

Treat API keys like passwords. Anyone with your key can access your organization's data.

Use environment variables — Never hardcode keys in source code
Rotate regularly — Create new keys and revoke old ones periodically
One key per integration — Use separate keys for each service or environment
Never expose client-side — API keys must only be used from server-side code
Monitor usage — Check lastUsedAt to detect unused or compromised keys
Set expiration dates — Use expiresAt for time-limited integrations
Revoke immediately — If a key is compromised, revoke it right away

Example: Using Environment Variables

// .env file:
// NXVET_API_KEY=nxvet_sk_your_key_here

const apiKey = process.env.NXVET_API_KEY;

const response = await fetch('https://app.nx.vet/api/devices?organizationId=YOUR_ORG_ID', {
  headers: { 'Authorization': `Bearer ${apiKey}` }
});

import os
import requests

# .env file or system environment:
# NXVET_API_KEY=nxvet_sk_your_key_here

api_key = os.environ['NXVET_API_KEY']

response = requests.get(
    'https://app.nx.vet/api/devices',
    params={'organizationId': 'YOUR_ORG_ID'},
    headers={'Authorization': f'Bearer {api_key}'}
)

Implementation Checklist

Generate an API key from the NxVET Integrations page Store the API key securely (environment variable or secrets manager) Include Authorization: Bearer nxvet_sk_... in all API requests Handle 401 responses (expired/revoked key) Handle 403 responses (wrong organization) Handle 429 responses (rate limiting) Never expose the API key in client-side code Plan for key rotation (create new key before revoking old one)