Authentication
How to send an API key with each request and where partners obtain keys.
Every request to /api/v1/platform/* must include your API key. Nepex accepts either header form:
• Authorization: Bearer <your_api_key>
• x-api-key: <your_api_key>
Treat each key like a password. You will normally see the full secret only once, when it is first created — copy it into a secrets manager or your deployment configuration. Do not commit keys to source control, embed them in client-side code, or share them in support tickets.
Where to get an API key: Sign in to the Nepex travel website with an account that has been onboarded as a partner and granted API access. Open your account Profile, go to the API access (or equivalent) section, choose the environment (Development, Staging, or Production), then use Generate to create a key. You can configure allowed origins and webhook URLs alongside keys. If a key is lost or rotated away, generate a new one; older revoked keys cannot be recovered.
Nepex accepts a key when it is active, your account is authorized for the API, the key’s environment matches the Nepex environment you are calling (development, staging, or live), and — where applicable — the request Origin is allowed for that environment.
Sample API key format
nxp_a1b2c3d4e5f6789012345678901234567890abcdef0123456789abcdef012345Example shape only — not a valid key. Live keys use the `nxp_` prefix followed by a long random string. You will see your real key once when you generate it.
- Call the API from your backend or a secure integration tier; never expose the raw key in browsers or apps
- Rotate keys on a schedule and immediately revoke any key you suspect is compromised
- If you need access enabled or have account questions, contact Nepex through your usual partner or support channel