Personal Access Tokens
and scopes

Generate a token

Personal Access Tokens (PATs) are created from your store admin panel:

1. Sign in to your admin panel.
2. Go to Settings → API Tokens.
3. Click Create token.
4. Give it a name and check the scopes you need.
5. Copy and save the displayed token — it is shown only once.

Each token has the shape:

nvl_live_a4f2c8e1b3d7…

Use the token in your requests

Send the token in the Authorization header on every request:

curl https://api.nuvlyx.com/api/v1/external/orders \
  -H "Authorization: Bearer nvl_live_a4f2c8e1b3d7…"

JavaScript / Node

const r = await fetch("https://api.nuvlyx.com/api/v1/external/orders", {
  headers: { Authorization: `Bearer ${process.env.NUVLYX_TOKEN}` }
});
const orders = await r.json();

Python

import os, requests

r = requests.get(
    "https://api.nuvlyx.com/api/v1/external/orders",
    headers={"Authorization": f"Bearer {os.environ['NUVLYX_TOKEN']}"},
)
orders = r.json()

Available scopes

A scope is an atomic permission granted to a token. If your token lacks the scope an endpoint requires, the API responds 403 Forbidden.

Security best practices

• Use minimum scopes: if your bot only reads orders, don't grant wallet:write.
• Store the token in environment variables, never in versioned code.
• Rotate tokens periodically: create a new one and revoke the old one once the integration switches over.
• Revoke immediately if you suspect a token leaked. The action is irreversible.
• Always use HTTPS. The API rejects plain HTTP requests.

Auth errors