Home

API Keys

Use API keys to authenticate API requests.

In this guide, we’ll look at how to register and login through the API. Openfort offers this through a dashboard.'

Managing your dashboard#

Now that you've finished the basics of integrating Openfort into your website, here are few of the account features and processes you'll probably want to understand:

  • Livemode and testing
  • API Keys

Livemode and testing#

Every account is divided into two universes: one for testing, and one for running on your live website. All API requests exist in one of those two universes, and objects in one universe cannot be manipulated by objects in the other.

In test mode, transactions don't go through the mainnet network — instead, they go through simple checks in Openfort to validate that they look like they might be valid transactions. In test mode you can use any combination of data that passes these simple checks.

API keys#

You'll need to authenticate your requests to access any of the endpoints in the Openfort API. In this guide, we'll look at how to get an API key.

Secret and publishable keys#

All accounts have a total of four API keys by default—two for test mode and two for live mode:

  1. Test mode secret key: Use this key to authenticate requests on your server when in test mode. By default, you can use this key to perform any API request without restriction.
  2. Test mode publishable key: Use this key for testing purposes in your web or mobile app’s client-side code.
  3. Live mode secret key: Use this key to authenticate requests on your server when in live mode. By default, you can use this key to perform any API request without restriction.
  4. Live mode publishable key: Use this key, when you’re ready to launch your app, in your web or mobile app’s client-side code.
Type Value When to use
Secret

On the server-side: Must be secret and stored securely in your web or mobile app’s server-side code (such as in an environment variable or credential management system) to call Openfort APIs. Don’t expose this key on a website or embed it in a mobile application.

Publishable

On the client-side: Can be publicly-accessible in your web or mobile app’s client-side code (such as openfort.js) to securely create session keys.

Reveal an API secret key for test mode#

Openfort APIs use your secret key to authenticate requests from your server. To find your API secret key for test mode:

  1. Open the API keys page.
  2. Under API keys, in the Secret key row, click Reveal test key and save the value.

Regenerate API keys#

caution

Regenerating API keys: Regenerating an API key will invalidate the current key and generate a new one. This action cannot be undone. If you have set up webhooks or registered a Shield project with the key, you will need to update them with the new key.

Openfort supports the ability to regenerate, delete and create API keys. You can do this at any time in the API keys section of the dashboard.

  • Delete and regenerate API keys:
generate-delete-api-keys
  • Generate new API keys: You can create multiple API keys when you're planning to generate a new one to avoid disruption to your integration.
generate-api-keys

Limit API keys interaction by IP#

Openfort supports limiting the IPs that can interact with Openfort services using specific APIn keys.

To enable this, API keys section of the dashboard and press the three dots next to the secret key.

A pop-up will appear with an option Whitelist Ips like so:

generate-delete-api-keys

You can then add multiple IPs per single secret key.

If you try to make a request from an unauthorized IP, you will receive a Forbidden error like so:


_10
{
_10
"error": {
_10
"type": "invalid_request_error",
_10
"message": "Access is limited for this address"
_10
}
_10
}

© Alamas Labs
Follow us on TwitterFollow us on GitHubJoin our Discord server