Skip to main content

API Keys

API keys let bot users access Nico programmatically — for the CLI tool, Claude Code skill, or custom integrations.

How API keys work

  • API keys are tied to bot users (not regular accounts)
  • Each key has an expiration date — keys stop working after they expire
  • Keys can be revoked at any time
  • Keys support scopes to limit what they can access
  • The raw key is only shown once at creation — store it securely

Creating an API key

1

Create a bot user

A team owner creates a bot user for your account. Bot users are special accounts designed for automated access.
2

Generate a key

Go to Security in the bot user’s settings and click Create API Key.
  • Enter a name for the key (e.g., “Claude Code skill”)
  • Set an expiration date
  • Select the scopes the key should have
3

Copy the key

Copy the API key immediately — it won’t be shown again.
Store your API key securely. Never commit it to version control or share it publicly. If a key is compromised, revoke it immediately and create a new one.

Using an API key

Set the key as an environment variable: 
export NICO_API_KEY="your-api-key-here"
The key is sent as a Bearer token in the Authorization header: 
Authorization: Bearer your-api-key-here

Managing keys

Viewing active keys

Go to Security in your account settings to see all API keys, their names, expiration dates, and status.

Revoking a key

Click Revoke next to any key to immediately disable it. Revoked keys cannot be reactivated — create a new one instead.

Key expiration

All API keys have a mandatory expiration date. When a key expires:
  • It stops working immediately
  • The CLI and any integrations using it will return authentication errors
  • Create a new key to restore access

Security best practices

  • Set short expiration dates and rotate keys regularly
  • Use the minimum required scopes for each key
  • Revoke keys you no longer need
  • Use separate keys for different integrations so you can revoke them independently