Purpose of API/Client Keys
The table below highlights the purpose of API keys and client keys.| Purpose | API Key | Client Key |
|---|---|---|
| Usage | Authenticates and authorizes access to Circle W3S RESTful APIs from backend systems. Not safe for public sharing. | Authenticates your client application and grants limited access to Circle’s RESTful APIs. Typically used with Circle’s SDKs. |
| Ideal for | Services from your backend that leverage Circle’s APIs. | Frontend applications (for example, web or mobile apps) using Circle’s serverless SDKs. |
| Where to use | Required for serverless cloud apps, micro-services, and client apps to make secure calls to Circle’s APIs. | Required for client applications to make secure calls to Circle’s services. |
Products and API/Client Keys
The table below lists which Circle products require API keys or client keys.| Product/Service | API Key | Client Key |
|---|---|---|
| Wallets: Modular | ✅ For retrieving transfer and UserOps data from Circle Indexing Service via RESTful APIs | ✅ For modular wallets SDKs |
| Wallets: User-Controlled | ✅ | ❌ |
| Wallets: Dev-Controlled | ✅ | ❌ |
| Contracts | ✅ | ❌ |
API Key
What is an API Key?
An API key is a unique string used to authenticate and enable access to privileged operations on Circle’s APIs. It’s required for any RESTful API requests to Circle services. Without it, requests will fail.Keep Your API Keys Safe
API keys allow access to sensitive operations, so they must be secured.- Avoid public exposure. Never share API keys or include them in client-side code, public repositories, or other public mediums.
- Manage securely. Use your Circle Developer account to generate and manage API keys. When generating a key, copy it exactly as displayed.
Caution: Losing control of your API key can result in financial loss.
API Key Authentication
You can use the headers below to authenticate requests on testnet or mainnet, respectively.TEST_API_KEY and LIVE_API_KEYThe strings
TEST_API_KEY and LIVE_API_KEY are essential components of an API
key. You must include these strings when passing API keys to access Circle’s
services.Testnet (Test) Authorization Header Example
Mainnet (Live) Authorization Header Example
Testing Authentication
To verify your API key setup, you can use the followingcurl command, for
example, to retrieve wallets:
Shell
Successful Response Example
Error Response Example
Client Key
What is a Client Key?
A client key is a unique string used to authenticate and authorize API access for customer applications leveraging Circle’s SDKs. A client key is linked to a specific domain host (for websites), a bundle ID (for iOS mobile), or a package name (for Android mobile), ensuring access is restricted to preconfigured applications.Note: A client key must be included in the headers of all modular wallets
SDK API calls.
Best Practices for Client Keys
Client keys enable access to sensitive application operations, so it’s critical to protect them. Follow these best practices to ensure their security:- Use separate keys for each application. Create separate keys for web and mobile apps (iOS, Android, etc.) to prevent shared vulnerabilities.
- Monitor for misuse. Set up alerts for unusual activity, such as unexpected spikes in API calls, using monitoring tools to detect anomalies.
- Rotate keys regularly. Regenerate client keys periodically and update them in your apps to reduce risk if a key is compromised.
- Store keys securely. Use secure storage options like Local Storage or Secure Storage for mobile apps, and avoid unnecessary exposure.
- Restrict access. Limit the scope of client keys by associating them with specific apps or domains to minimize potential misuse.