API Keys
Livemode and testing
Every account is divided into two universes: one for testnet, and one for mainnet. All requests exist in one of those two universes, and objects in one universe cannot be manipulated by objects in the other. In test mode, transactions can only go to testnet networks.
API keys
You'll need to authenticate your requests to access any of the endpoints in the Openfort API. API keys are used to authenticate these requests.
Project secret and publishable keys
All accounts have a total of four API keys by default—two for test mode and two for live mode:
- Test project secret key: Use this key to authenticate requests on your server when in test mode. By default, you can use this key to perform any API request without restriction.
- Test project publishable key: Use this key for testing purposes in your web or mobile app's client-side code.
- Live project secret key: Use this key to authenticate requests on your server when in live mode. By default, you can use this key to perform any API request without restriction.
- Live project publishable key: Use this key, when you're ready to launch your app, in your web or mobile app's client-side code.
Shield secret and publishable keys
All accounts have a total of three API keys by default for Shield functionality:
- Shield secret key: Use this key to store the recovery share of your users on server.
- Shield publishable key: Use this key, when you're ready to launch your app, in your web or mobile app's client-side code.
- Shield encryption share key: Only used whenever you're using the automatic recovery to encrypt the recovery share.
| Type | Value | When to use |
|---|---|---|
| Secret | sk_test_ypc...YZp | On the server-side: Must be secret and stored securely in your web or mobile app's server-side code (such as in an environment variable or credential management system) to call Openfort APIs. Don't expose this key on a website or embed it in a mobile application. |
| Publishable | pk_test_ZXb...aWg | On the client-side: Can be publicly-accessible in your web or mobile app's client-side code (such as openfort-js). |
Reveal an API secret key in your dashboard
Openfort APIs use your secret key to authenticate requests from your server. To find your API secret key for test mode:
- Open the API keys page.
- Under
API keys, in theSecret keyrow, clickReveal test keyand save the value.
Regenerate API keys
Openfort supports the ability to regenerate, delete and create API keys. You can do this at any time in the API keys section of the dashboard.
- Delete and regenerate API keys:
- Generate new API keys: You can create multiple API keys when you're planning to generate a new one to avoid disruption to your integration.
Limit API keys interaction by IP
Openfort supports limiting the IPs that can interact with Openfort services using specific API keys.
To enable this, navigate to the API keys section of the dashboard and press the three dots next to the secret key.
A new page will appear with an option Whitelist IPs like so:
You can then add multiple IPs per single secret key.
If you try to make a request from an unauthorized IP, you will receive a Forbidden error like so:
{
"error": {
"type": "invalid_request_error",
"message": "Access is limited for this address"
}
}