API keys authenticate the Nova agent and any programmatic access to your account. This guide shows you how to create the right kind of key, scope it, and rotate it without downtime.
Go to Settings > API Keys. You will see existing keys, their scope, and when they were last used.
Generate an agent key for installing the Nova agent. This is the value you pass as NOVA_API_KEY in the install command.
For the API or CLI, create a personal access token scoped to read-only or read-write. Use a separate token per integration so you can revoke one without breaking the others.
To rotate, create the new key first, update your agents or CI, confirm traffic on the new key, then revoke the old one.
Never commit keys to source control. Nova includes a secret leak detector that scans for exposed credentials, but prevention is better: store keys in your secrets manager and inject them at runtime.