Authentication

Nova accepts two credential types. Most endpoints accept either; some
require one specifically. The reference page for each endpoint lists the
schemes it accepts in the Authentication section.

Partner API key (x-api-key)

Recommended for server-to-server integrations.

• Created in the partner portal under Settings → API Keys.
• Scoped to the partner that created it (and that partner's descendants in
  the hierarchy, where applicable).
• Sent in every request as the x-api-key header.
• Rotate at least annually, and immediately on suspected compromise.

curl https://api.megsapp.85.group/api/v1/wallets \
  -H 'x-api-key: nova_pk_live_xxx…'

Rotating a key

1. Create a new key in the portal.
2. Roll the new key out across your services.
3. Revoke the old key. There is no grace period — both keys are valid
   simultaneously until the old one is revoked.

Bearer JWT (Authorization: Bearer …)

Used for interactive sessions (partner portal users, MVNO admin
users). Obtained from the relevant login endpoint:

curl https://api.megsapp.85.group/api/v1/partner-auth/login \
  -H 'content-type: application/json' \
  -d '{ "email": "[email protected]", "password": "…" }'

The response includes accessToken (short-lived) and refreshToken. Send
the access token on subsequent requests:

curl https://api.megsapp.85.group/api/v1/partners/me \
  -H 'authorization: Bearer eyJhbGciOi…'

Refresh access tokens via the dedicated refresh endpoint before they
expire — see the Auth tag in the API reference.

Which to use when

Common 401 / 403 causes

• Missing x-api-key and Authorization headers.
• API key revoked or belongs to a deleted partner.
• JWT expired — refresh it.
• Endpoint requires a role/permission your principal lacks.
• Request to a resource owned by another partner subtree (RBAC).

See Errors for the full error code catalogue.