Skip to main content
The Nango API uses Bearer token authentication. Every request to https://api.nango.dev must include your secret key in the Authorization header.

API keys

Nango provides two types of API keys, each with a distinct purpose:

Secret key

Used for server-side API calls. Grants full access to your Nango environment. Never expose this key in client-side code or public repositories.

Public key

Used for frontend integrations (for example, initializing the Nango Connect UI). Has limited, read-only access scoped to the auth flow.
To find your keys, go to Settings > API Keys in the Nango dashboard.
Your secret key provides full access to your Nango environment. Treat it like a password — store it in environment variables, never in source code.

Authenticating requests

Pass your secret key as a Bearer token in the Authorization header on every API request. 
Authorization: Bearer <your-secret-key>

curl

curl -H "Authorization: Bearer $NANGO_SECRET_KEY" \
  https://api.nango.dev/integrations

Node SDK

Install the SDK and pass your secret key when instantiating the client: 
npm install @nangohq/node

import Nango from '@nangohq/node';

const nango = new Nango({ secretKey: process.env['NANGO_SECRET_KEY'] });
The secretKey field is required. The SDK throws an error at construction time if it is missing.
The Node SDK defaults to https://api.nango.dev as the host. If you are self-hosting Nango, pass the host option:
const nango = new Nango({
  secretKey: process.env['NANGO_SECRET_KEY'],
  host: 'https://nango.your-domain.com'
});

Environment variables

Store your secret key in an environment variable to keep it out of source code: 
export NANGO_SECRET_KEY="<your-secret-key>"
Then reference it in your application: 
const nango = new Nango({ secretKey: process.env['NANGO_SECRET_KEY'] });

Error responses

If a request is missing or includes an invalid secret key, the API returns a 401 Unauthorized response. Missing Authorization header: 
{
  "error": {
    "code": "missing_auth_header"
  }
}
Malformed Authorization header (not a valid Bearer token): 
{
  "error": {
    "code": "malformed_auth_header"
  }
}
Unknown or revoked secret key: 
{
  "error": {
    "code": "unknown_account"
  }
}

Build docs developers (and LLMs) love

Get started for freeTalk to us