·Authentication

Authentication

The NanoBanana API uses API keys for authentication. Your key must be included in every request via the Authorization header.

API key format

All API keys are prefixed with nb_sk_ followed by 40 random alphanumeric characters. Keys are generated once and never shown again — store them safely.

nb_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Passing your key

Include the key in the Authorization header as a Bearer token on every request.

Environment variables

Never hardcode your API key in source code. Use environment variables and add .env* to your .gitignore.

Security best practices

→Never expose API keys in client-side code, browser consoles, or public repositories
→Create separate keys for development and production environments
→Revoke and replace compromised keys immediately from the Dashboard
→Rotate keys periodically as a preventative security measure
→Use read-only keys (coming soon) for analytics/monitoring use cases

Error responses

401unauthorized

Missing, invalid, or revoked API key. Check the Authorization header and make sure the key was not deleted from the Dashboard.

Authorization header

http

Authorization: Bearer nb_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

cURL example

bash

curl https://api.apinanobanana.com/v1/images/generate \
  -H "Authorization: Bearer nb_sk_sua_chave_aqui" \
  -H "Content-Type: application/json"

Environment variable

bash

# .env.local (never commit this)
NANOBANANA_API_KEY=nb_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Error · 401 Unauthorized

json

{
  "error": "unauthorized",
  "message": "Invalid or missing API key. Include it as: Authorization: Bearer nb_sk_..."
}

Authorization header

http

Authorization: Bearer nb_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

cURL example

bash

curl https://api.apinanobanana.com/v1/images/generate \
  -H "Authorization: Bearer nb_sk_sua_chave_aqui" \
  -H "Content-Type: application/json"

Environment variable

bash

# .env.local (never commit this)
NANOBANANA_API_KEY=nb_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Error · 401 Unauthorized

json

{
  "error": "unauthorized",
  "message": "Invalid or missing API key. Include it as: Authorization: Bearer nb_sk_..."
}