Authentication

Four ways to authenticate with naxxen, plus how provider auth passthrough works.

Every request to api.naxxen.ai needs two things:

Your naxxen API key — identifies you to naxxen (starts with nxn-sk-)
Your provider API key — forwarded unchanged to OpenAI/Anthropic/Google

naxxen supports four methods to pass your naxxen key. They are checked in this order — the first match wins.

Method 1: Header

Pass the naxxen key in a dedicated header.

X-Naxxen-Key: nxn-sk-YOUR_KEY

Your provider auth stays in its normal header (Authorization, x-api-key, x-goog-api-key).

curl -X POST https://api.naxxen.ai/v1/chat/completions \
  -H "X-Naxxen-Key: nxn-sk-YOUR_KEY" \
  -H "Authorization: Bearer sk-YOUR_OPENAI_KEY" \
  -d '...'

Best for: scripts, SDKs, and any client where you control the headers.

Method 2: URL path prefix

Embed the naxxen key directly in the URL path. naxxen strips it before forwarding.

https://api.naxxen.ai/nxn-sk-YOUR_KEY/v1/chat/completions
                       ^^^^^^^^^^^^^^^
                       stripped before forwarding

The provider receives a clean /v1/chat/completions path. Your provider API key goes in headers as usual.

curl -X POST https://api.naxxen.ai/nxn-sk-YOUR_KEY/v1/chat/completions \
  -H "Authorization: Bearer sk-YOUR_OPENAI_KEY" \
  -d '...'

Best for: coding agents and tools where you can only change the base URL, not add custom headers. This is the recommended method for OpenClaw, Claude Code, and Cursor.

Method 3: Composite Bearer

Combine both keys in the Authorization header, separated by :.

Authorization: Bearer nxn-sk-YOUR_KEY:sk-YOUR_PROVIDER_KEY

naxxen splits on the colon — the left side is your naxxen key, the right side is forwarded to the provider as Authorization: Bearer sk-YOUR_PROVIDER_KEY.

curl -X POST https://api.naxxen.ai/v1/chat/completions \
  -H "Authorization: Bearer nxn-sk-YOUR_KEY:sk-YOUR_OPENAI_KEY" \
  -d '...'

Best for: clients that only allow setting one API key field. Both keys travel in a single header.

Method 4: Auth-agnostic passthrough

This isn't a separate method — it's how naxxen handles provider auth regardless of which method above you use.

After extracting your naxxen key, naxxen forwards whatever remaining auth headers the provider expects, unchanged:

Provider	Forwarded headers
OpenAI	`Authorization: Bearer sk-proj-...`
Anthropic	`x-api-key: sk-ant-...` OR `Authorization: Bearer eyJ...` (OAuth)
Anthropic	`anthropic-version`, `anthropic-beta` (also forwarded)
Google	`x-goog-api-key: AIza...`

This is why tools like Claude Code (which uses Anthropic OAuth, not an API key) work transparently through naxxen. naxxen doesn't care whether the provider auth is an API key or an OAuth bearer token — it just passes it through.

Key format

Prefix:     nxn-sk-
Min length: 20 characters
Max length: 128 characters
Example:    nxn-sk-703ce967a2db7c0633b0edac7750e065

Keys are created in your dashboard. Each key is shown in full only once at creation — after that, only the prefix is visible.

Rate limits

Each API key has rate limits based on your account tier:

Tier	Requests/minute	Requests/day
Free	60	1,000
Pro	600	Unlimited

Rate limits are applied per API key, not per account. If you hit a limit, naxxen returns 429 Too Many Requests.