Stealth previewdocs are early and rough. Please don't share publicly.
New Theory
DocsAPIModels

Get an API key

What an NT API key is, how it gates inference, and what happens on revocation.

View as Markdown

NT uses bearer-token authentication. You issue a key — with newt login or in the console — and the newt library presents it on every connection. Revoke a key in the console and the connections it backs start refusing new calls within seconds.

What a key looks like

NT keys carry a recognisable prefix:

nt_a1b2c3d4e5f60718293a4b5c6d7e8f9011223344

The nt_ prefix identifies the key as an NT API key. The 40-character hex suffix is the secret. Treat the whole string as a password: it grants the holder the right to spend inference time against the account that issued it.

How a key is presented

The newt library reads NT_API_KEY from the environment and presents it on every connection. In code:

from newt import Robot

robot = Robot()  # uses NT_API_KEY from env

Or, explicitly:

robot = Robot(api_key="nt_...")

On the wire, the key travels as a standard bearer token on the WebSocket handshake:

Authorization: Bearer nt_a1b2c3d4...

If you're hitting the endpoint without the SDK, that's the header to set.

What happens on revocation

When you revoke a key in the console, NT's inference endpoint stops honouring it on the next handshake.

AuthError can fire in two places:

  • At Robot() construction — the SDK validates your key against the registry before opening any WebSocket. A bad, revoked, or malformed key fails here in about a second, with a hint that valid keys start with nt_. This is the earliest and most common failure point.
  • At the WebSocket handshake — if a key is revoked mid-session, the next connection attempt fails at the handshake. The key is verified once, at handshake, and never re-checked after that, so an already-open connection keeps running until it closes on its own.
from newt import Robot, AuthError

try:
    robot = Robot()
    for chunk in robot.run("pick up the cup", stream=True):
        ...
except AuthError:
    # Key is invalid, revoked, or absent.
    ...

AuthError is the only auth-related exception the SDK raises. It covers wrong key, revoked key, and missing key — the error message distinguishes them; the type does not.

Where to go next

  • Issue, list, or revoke a key. See Key management.
  • Get a key from the console. Open the console and click Create key.

On this page