Stealth previewdocs are early and rough. Please don't share publicly.
New Theory
DocsAPIModels

Key management

Issue keys with newt login, and manage them — list, revoke, logout — from the CLI and the console.

View as Markdown

newt login is the primary way to issue a key. The console is the management surface: it issues keys for contexts where the CLI isn't available, and it's where you list and revoke keys.

Issue a key with newt login

newt login

The command prints a URL and a pairing code. Open the URL in a browser, confirm the code shown there matches the one in your terminal, and approve. The CLI receives a key and stores it at ~/.nt/credentials. The SDK and CLI read it from there automatically on subsequent runs.

For scripted or agent contexts, newt login --print runs the same pairing flow but prints the key to stdout and persists nothing. Capture the output yourself — into a secret store, an environment variable, or a .env file.

newt login --print

Issue a key in the console

Use the console when the CLI isn't an option — a teammate provisioning a key, a deploy target without newt installed, or any environment where the browser pairing flow doesn't fit.

  1. Open the console and sign in.
  2. Open the Keys page from the sidebar.
  3. Click Create API key. The console reveals the key value once, in a dialog.
  4. Copy the value now. It looks like nt_<40 hex>. Save it to your password manager or export it directly into the shell you'll run from.

One-time reveal. The console only shows the key plaintext at the moment of creation. After you close the dialog you can list the key (prefix only) and revoke it, but you can't see the full value again. If you lose the plaintext, revoke and reissue.

List your keys

The Keys page in the console shows every key issued under your account: name, masked key, creation date, and a status of In use or Never used. The full key value is never shown — the suffix hint (last 8 chars) is enough to identify which one is which when you cross-reference against the value you saved.

Revoke a key

  1. On the Keys page, find the key you want to revoke.
  2. Click Revoke on its row.
  3. Confirm. The key is removed from the active set.

Revocation propagates to the inference endpoint within seconds; new connections fail with AuthError. The key is checked once, at connection handshake — an already-open connection isn't re-checked, so it keeps running on a revoked key until it closes on its own.

Remove local credentials with newt logout

newt logout

newt logout deletes ~/.nt/credentials. The key itself stays valid — logout only removes it from this machine. To make the key stop working, revoke it in the console.

Practices that pay off

  • One key per project or robot. When something leaks or a workstation gets re-imaged, you revoke one key, not all of them.
  • Name keys after where they live. laptop-mattie, demo-rig-1, ci-runner. Future-you grepping a list of prefixes will thank you.
  • Rotate by reissue, not by edit. Create the new key, swap your environment over, then revoke the old one. There is no "rotate" operation — issuing plus revoking is the rotation.
  • Don't commit keys to source. Use NT_API_KEY from the shell, a .env file gitignored at the repo root, or your platform's secret store. The newt library reads NT_API_KEY first and falls back to ~/.nt/credentials — the env var wins when both are present, so you don't have to thread plaintext through code.

On this page