Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.nexus.westyx.cloud/llms.txt

Use this file to discover all available pages before exploring further.

Hierarchy

Tenant
└── Project  (tier: free / xs / s / m / l / xl)
    ├── Service  (kind: backend)   → sk_live_ key
    ├── Service  (kind: frontend)  → pk_live_ key
    └── Umbrella Service           → no API key (shared config parent)
Every resource - secrets, configs, feature flags - is scoped to a service.

Tenant

A tenant is your top-level organisation. It is the billing boundary: invoices are issued per tenant, and your tier quota applies per project within that tenant.
  • One tenant per company, agency, or individual account
  • Tenant roles: owner, finance, member
  • owner is automatically an owner of every project in the tenant

Project

A project represents one product or application. It has:
  • A tier (free / xs / s / m / l / xl) that controls environments, secrets cap, retention window, and add-on availability
  • Its own member list with project-level roles
  • One or more services and a set of allowed environments

Environments

The environments available to a project depend on its tier:
TierEnvironments
freedevelop
xsdevelop, production
sdevelop, staging, production
m / l / xlAll environments

Project roles

RoleDescription
ownerFull control - manage members, settings, all resources
managerManage services, secrets, configs, flags; invite members
developerRead configs and flags; write own dev environment
testerRead access across all non-secret resources
viewerRead-only access to configs and flags

Service

A service is a single deployable unit - a backend API, a worker, a frontend app. It belongs to one project and one environment. Every service has an immutable kind:

Backend

Uses sk_live_ API keys. Has access to secrets, configs, and flags. Supports Workload Identity Federation (WIF).

Frontend

Uses pk_live_ API keys. Configs and flags only - secrets are never sent to frontend services. Cannot use WIF.

Umbrella services

An umbrella service acts as a shared config parent. Child services inherit its configs and flags automatically - useful for configs shared across multiple services in the same environment.
  • Umbrella services have no API keys of their own
  • Child services must have the same kind as their umbrella
  • The inheritance is flat (no nested umbrellas)

Auth paths

API key (classic)

X-Nexus-API-Key: sk_live_<64-hex>   // backend services
X-Nexus-API-Key: pk_live_<64-hex>   // frontend services

Workload Identity Federation (WIF)

Backend services in Kubernetes, AWS, GCP, or Azure environments can authenticate without static API keys. The SDK fetches an OIDC token from the environment, exchanges it at /api/v1/auth/token-exchange for a short-lived session JWT, and auto-refreshes before expiry. See the SDK reference for setup instructions.

Audit log

Every mutating action - and selected read events (secret reveal, list) - is recorded in the audit log with actor, IP, user agent, and timestamp. The retention window depends on the project tier.