Authentication
Notebind supports two authentication methods: API keys for programmatic access and session cookies for browser-based access.
API key authentication
Section titled “API key authentication”API keys are the recommended way to authenticate agents, scripts, and CI/CD pipelines.
Creating an API key
Section titled “Creating an API key”- Sign in to notebind.com
- Go to Settings → API Keys
- Click Create API Key, give it a name (e.g., “Production Agent”)
- Copy the key immediately — it’s only shown once
Or create one via API (requires existing session auth):
curl -X POST https://notebind.com/api/keys \ -H "Content-Type: application/json" \ -H "Cookie: your-session-cookie" \ -d '{"name": "Production Agent"}'Using an API key
Section titled “Using an API key”Pass the key in the Authorization header:
curl https://notebind.com/api/documents \ -H "Authorization: Bearer nb_sk_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"Key format
Section titled “Key format”API keys follow the format nb_sk_ followed by 32 hex characters:
nb_sk_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6- The
nb_sk_prefix identifies it as a Notebind secret key - Keys are hashed with SHA-256 before storage — the plain key cannot be recovered
- The first 14 characters (prefix) are stored for display purposes
last_used_atis updated on each successful authentication
Managing keys
Section titled “Managing keys”| Action | Endpoint |
|---|---|
| List keys | GET /api/keys |
| Create key | POST /api/keys |
| Delete key | DELETE /api/keys/:id |
Session cookie authentication
Section titled “Session cookie authentication”Browser-based requests use Supabase session cookies automatically. This is what happens when you use the Notebind web app.
The session is managed by @supabase/ssr and stored in an HTTP-only cookie named sb-<project-ref>-auth-token.
Auth methods
Section titled “Auth methods”- Email/password — Sign up and sign in at notebind.com/auth/register
- Google OAuth — Click “Continue with Google” (coming soon)
- GitHub OAuth — Click “Continue with GitHub” (coming soon)
Share token access
Section titled “Share token access”Share links provide limited access to specific documents without authentication. See Share Links & Permissions for details.
Share tokens are passed as query parameters:
curl "https://notebind.com/api/documents/DOC_ID?share_token=TOKEN"Share token permissions:
| Permission | Can view | Can comment | Can edit | Can suggest |
|---|---|---|---|---|
view | Yes | No | No | No |
comment | Yes | Yes | No | No |
edit | Yes | Yes | Yes | Yes |
Error responses
Section titled “Error responses”All authentication failures return a consistent error format:
{ "data": null, "error": { "message": "Unauthorized", "code": "UNAUTHORIZED" }}| Status | Meaning |
|---|---|
401 | No valid credentials provided |
403 | Authenticated but insufficient permissions |