Authentication overview

Base URL

All API calls use the base domain issued to your workspace. For private beta tenants this is:

https://api.support.nexuscore.cloud

Requests must be served over HTTPS. Plain HTTP is rejected.

OAuth client credentials

1. Sign in to the workspace and open Settings → API keys.
2. Click Create credential and choose Server-to-Server.
3. Copy the client_id and client_secret. Store them in your vault—this is the last time the secret is shown.
4. Optionally restrict scopes (e.g., tickets:read, tickets:write, brands:read).

Token endpoint

POST /oauth/token

Body (application/x-www-form-urlencoded):

grant_type=client_credentials&client_id=...&client_secret=...

Response:

{
  "access_token": "eyJhbGciOi...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "tickets:read tickets:write"
}

Workspace-scoped API keys

For quick testing you can generate scoped API keys. They carry the same permissions as OAuth tokens but cannot be refreshed. Use them only in secure server environments.

1. Click Create API key.
2. Name the key after the consuming service (e.g., zendesk-migration-script).
3. Choose scopes and optional brand restrictions.
4. Save the generated key. Rotate it manually through the UI or via the API.

Request signing

Include the bearer token in the Authorization header:

Authorization: Bearer ACCESS_TOKEN

Tokens expire after one hour. Refresh them by repeating the client-credential flow. You can monitor active tokens and revoke them from the Tokens tab.

Rate limits

• Standard limit: 600 requests per minute per workspace.
• Burst limit: 150 requests per 10 seconds.

Contact us if you need a higher quota for ingestion or backfills.

Error responses

Webhook signature verification

When receiving events, validate the X-Nexuscore-Signature header. Use the shared secret provided when configuring the webhook. We provide Node.js and Python helpers in the SDK bundle.