Authentication & API Keys
Authentication Methods
NexusDB supports three authentication methods:
| Method | Use Case | Security Level |
|---|---|---|
| API Key | Server-to-server | Medium |
| JWT Token | User sessions | High |
| OAuth2 | Third-party apps | High |
API Key Authentication
Generate an API key from the admin dashboard or CLI:
nexusdb keys create --name "production-api" --scope read,writeUse the key in your requests:
const db = new NexusDB("http://localhost:4200", {
apiKey: "nxdb_sk_live_abc123def456"
});Or via HTTP header:
curl -H "Authorization: Bearer nxdb_sk_live_abc123def456" \
https://api.nexusdb.io/v1/collectionsJWT Token Authentication
For user-facing applications, use JWT tokens:
// Sign in
const { token, user } = await db.auth.signIn({
email: "jane@example.com",
password: "secure-password"
});
// Token is automatically attached to subsequent requests
const docs = await db.collection("documents").get();Token Refresh
const { token: newToken } = await db.auth.refresh(oldToken);OAuth2 Integration
Register your application to get OAuth2 credentials:
nexusdb oauth create-app \
--name "My App" \
--redirect-uri "https://myapp.com/callback"Authorization Flow
// Step 1: Redirect to authorization URL
const authUrl = db.oauth.getAuthorizationUrl({
clientId: "your-client-id",
redirectUri: "https://myapp.com/callback",
scope: "read write"
});
// Step 2: Exchange code for token
const { accessToken } = await db.oauth.exchangeCode(code);Security Best Practices
- Rotate API keys every 90 days
- Use environment variables for secrets — never hardcode
- Restrict key scopes to minimum required permissions
- Enable IP allowlisting for production keys