Skip to main content

Authentication

All API requests must be authenticated using an API key. API keys provide stateless, scoped authentication for programmatic access.

Key format

EnvironmentPrefixExample
Productionnl_live_nl_live_a1b2c3d4e5f6... (64 hex chars)
Testnl_test_nl_test_a1b2c3d4e5f6... (64 hex chars)
Keys use 256-bit entropy (64 hex characters after the prefix).

Passing your API key

You can authenticate using either method: Option 1: X-API-Key header (recommended) 
curl -H "X-API-Key: nl_live_YOUR_API_KEY" \
  https://api.naturalead.ai/api/leads
Option 2: Bearer token 
curl -H "Authorization: Bearer nl_live_YOUR_API_KEY" \
  https://api.naturalead.ai/api/leads
When both X-API-Key and Authorization: Bearer nl_* are present, the X-API-Key header takes precedence.

Key security

  • The full key is shown only once at creation. Naturalead stores only a SHA-256 hash.
  • Keys are scoped to a single account (organization).
  • Each key has a keyHint (last 4 characters) for identification in the dashboard.
  • Keys can be set to expire at a specific date.

Creating API keys

Create keys via the dashboard (Settings > API Keys) or programmatically: 
curl -X POST "https://api.naturalead.ai/api/api-keys" \
  -H "X-API-Key: nl_live_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "CRM Integration",
    "scopes": ["leads:view", "leads:import", "leads:sync_create"],
    "environment": "live"
  }'

Key lifecycle

ActionEndpointDescription
CreatePOST /api/api-keysGenerate a new key with selected scopes
ListGET /api/api-keysView all keys for the account (masked)
RevokePATCH /api/api-keys/:id/revokeDisable a key (irreversible)
RotatePOST /api/api-keys/:id/rotateRevoke old key, generate new one atomically
DeleteDELETE /api/api-keys/:idPermanently delete a revoked key

Scopes and Permissions

API keys are scoped to specific permissions. A key can only perform actions matching its scopes.

Available scopes

DomainScopeDescription
Leadsleads:viewList, search, and filter leads
Leadsleads:importCreate, update, delete, and import leads
Leadsleads:start_conversationStart conversations with leads
Leadsleads:sync_createBulk sync (create/update) leads
Leadsleads:sync_deleteBulk delete synced leads
Conversationsconversations:viewList and read conversations
Conversationsconversations:editEdit conversation data
Conversationsconversations:send_messageSend messages in conversations
Conversationsconversations:change_statusUpdate conversation status
Agent Configagent_config:viewView agent configurations
Agent Configagent_config:editCreate and modify agents
Knowledgeknowledge:viewView knowledge bases and documents
Knowledgeknowledge:uploadUpload documents and manage sources
Knowledgeknowledge:deleteDelete documents and knowledge bases
Campaignscampaigns:viewList and view campaigns
Campaignscampaigns:createCreate new campaigns
Campaignscampaigns:editUpdate campaign settings
Campaignscampaigns:launchLaunch and pause campaigns
Campaignscampaigns:deleteDelete campaigns
Analyticsanalytics:viewView analytics and reports
A/B Testingab_testing:viewView A/B tests
A/B Testingab_testing:manageCreate and manage A/B tests
Auditaudit:viewView audit logs
Auditaudit:exportExport audit logs
API Keysapi_keys:viewView API keys
API Keysapi_keys:manageManage API keys
When creating an API key, you can only grant scopes that your own role has permission for. This prevents privilege escalation.

Error responses

StatusResponseCause
401{"error": "Invalid or expired API key"}API key is revoked, expired, or not found
401{"error": "Authentication required. Provide an API key via X-API-Key header or Authorization: Bearer header."}No API key provided
403{"error": "Forbidden", "message": "API key does not have the required scope (requires: leads:view)."}Key is missing the required permission
403{"error": "Forbidden", "message": "You do not have permission to perform this action (requires: leads:view)."}Your role lacks the required permission