Authenticated reference

Nina API endpoints and security posture.

The standalone Nina app is the client surface. Execution, connector state, and backend workflow calls are session-gated and proxied to the Aweb backend only after local auth.

Endpoints

Current Nina surface

GET/api/nina/v1/slicesSession

POST/api/nina/v1/slices/notion-system/runSession

POST/api/nina/v1/slices/talking-head-promo/runSession

GET/api/user/connectionsSession

DELETE/api/user/connections/:platformSession

GET/api/auth/social/:platformSession

GET/api/auth/social/callback/:platformSession

GET/POST/api/mcpSession

POST/api/early-accessPublic queue

Run request

Payload shape

{
  "prompt": "Boutique agency Notion onboarding system",
  "mode": "standard",
  "channels": ["nina_store", "etsy"],
  "dryRun": true,
  "currency": "USD",
  "priceCents": 9900
}

Authentication

Console session

Google sign-in is restricted to the Nina allowlist.
The request queue does not create an account or grant console access.
Connector OAuth begins only after an approved session exists.

MCP

Private by default

Nina /api/mcp rejects unauthenticated calls and is disabled until an admin issues access.
Future MCP keys should be scoped to selected tools and origins.
Tool execution must resolve to the same Nina operator identity.

SDK

Invite-only

Use same-origin session calls today.
Server SDK credentials must never be embedded in browser bundles.
All future SDK keys should be revocable and scoped per subsystem.