Authentication
Every request must include your organization's API key. Keys are issued by Notrus and scoped to a single organization — the API only ever returns your organization's data.
The apikey header
Send your key in the apikey request header on every call:
http
apikey: <your-api-key>Example
bash
curl https://api.hom.notrus.ai/graphql \
-H "Content-Type: application/json" \
-H "apikey: $NOTRUS_API_KEY" \
-d '{"query":"{ conversations(first: 1) { edges { node { conversationId } } } }"}'How it works
Requests are authenticated at the API gateway. A valid key resolves to your organization, and that organization scope is applied to every query automatically — there is no tenant argument to pass, and you cannot query another organization's data with your key.
Keeping your key safe
- Treat the key like a password. Do not commit it to source control.
- Send it only over HTTPS (all endpoints are HTTPS-only).
- The API Console keeps your key in the browser session only — it is never sent anywhere except directly to the API.
Missing or invalid key
A request without a valid key is rejected before it reaches the API. An authenticated request that resolves to no organization returns an UNAUTHENTICATED error — see Errors.