Authentication

NeutronEDI uses API keys for authentication. Every request to a processing endpoint must include your key in the X-API-Key header. Keys are managed in the NeutronEDI dashboard under API Keys.

Header format

X-API-Key: nedi_live_your_key_here

That's it. No bearer tokens, no JWTs, no OAuth dance for server-to-server traffic. Your key is the only credential the API needs.

Key format

NeutronEDI API keys use the prefix nedi_, followed by a high-entropy secret. The full key is shown exactly once — at the moment you create it in the dashboard. Copy it to your secrets manager immediately.

We store only a SHA-256 hash of the key on our side. If you lose the plaintext, you cannot recover it — you must rotate the key and update your systems.

There is no separate test/live environment split. Every key works against the production API. Use descriptive names like local-dev or staging so you can differentiate them in the dashboard.

Creating a key

  1. Sign in to portal.neutronedi.com
  2. Navigate to API Keys
  3. Click Create key and give it a descriptive name
  4. Copy the plaintext key immediately and store it in your secrets manager
  5. The dashboard will show the key prefix (last 4 characters) for identification, but never the full value again

Rotating a key

API key rotation is a two-step process to avoid downtime:

  1. In the dashboard, click Rotate on the existing key. This issues a new key while the old one remains valid for a short overlap window.
  2. Update all running systems to use the new key. Once everything is cut over, confirm rotation in the dashboard to revoke the old key.

Rotate keys if:

  • A key is exposed in logs, source control, or a compromised developer machine
  • An employee with access leaves the organization
  • As part of a regular rotation schedule (recommended: every 90 days)

Rate limits

Rate limits depend on your plan:

PlanMonthly transactionsBurst rate
Developer50010 req/sec
Growth2,00060 req/sec
Enterprise30,000300 req/sec

When you exceed your burst rate, the API returns 429 Too Many Requests with a Retry-After header telling you when to try again. When you exceed your monthly transaction limit, subsequent requests return 429 with a RATE_LIMITED error code until the limit resets at the start of the next billing cycle.

All clients should implement exponential backoff on 429 responses. A reasonable default: start with a 1-second delay, double on each retry, cap at 60 seconds, give up after 5 retries.

Security best practices

Never commit keys to source control. Use environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault, Doppler, 1Password Secrets Automation, etc.). If a key ever lands in a public git history, rotate it immediately — we recommend automated scanning tools that detect committed secrets before they reach a remote.

Use separate keys per environment. Create one key per environment (production, staging, local-dev) so you can rotate a compromised key without taking down the others.

Scope keys to the smallest system possible. Instead of sharing one key across your entire fleet, create a key per deployment or per service. When something goes wrong, rotation is surgical.

Monitor usage. The dashboard tracks API calls per key. If a key's usage suddenly spikes without a corresponding change in your traffic, investigate immediately.

Never log the plaintext key. Strip X-API-Key headers from all request logs, both in your application and in any upstream proxies or load balancers.

Use TLS. All requests must go to https://api.neutronedi.com. The API rejects plain HTTP connections.

Revoking a key

To immediately revoke a key without a rotation window, click Revoke in the dashboard. The key stops working instantly. Use this when you know a key is compromised and you want to cut it off before any new requests succeed.

PreviousAPI Reference