Authentication

How to authenticate with the elNudge REST API using Bearer tokens.

All elNudge REST API requests are authenticated with a Bearer token passed in the Authorization header.

API keys

API keys are site-scoped — each key grants access to the data and settings for a single site. You cannot use one key to access another site's data.

Find your API keys at:

Dashboard → Settings → API Keys

Key types

Always use sk_test_ keys during development and CI. Switch to sk_live_ only in production.

Making an authenticated request

Pass the key as a Bearer token in the Authorization header:

GET /v1/sessions HTTP/1.1
Host: api.elnudge.com
Authorization: Bearer sk_live_XXXXXXXX

Using curl:

curl https://api.elnudge.com/v1/sessions \
  -H "Authorization: Bearer sk_live_XXXXXXXX"

Rotating keys

To rotate an API key:

1. Generate a new key in Dashboard → Settings → API Keys → Add key.
2. Update your application or environment variables to use the new key.
3. Delete the old key in the dashboard.

There is a 1-hour grace period after generating a new key during which both the old and new keys are valid. Use this window to deploy your updated configuration without downtime.

Security

Never expose API keys client-side. API keys grant access to your session data, nudge configuration, and analytics. Keep them in environment variables or a secrets manager — never in frontend JavaScript, browser extension code, or a public repository.

The SDK site key is different. The snippet you install on your storefront contains a public site key that identifies your site to the elNudge relay. This key is intentionally public — it only identifies your site, it does not grant access to the API. Do not confuse the two.