Management API Reference

API keys

Livemode and testing#

Every account is divided into two universes: one for testnet, and one for mainnet. All requests exist in one of those two universes, and objects in one universe cannot be manipulated by objects in the other. In test mode, transactions can only go to testnet networks.

API keys#

You'll need to authenticate your requests to access any of the endpoints in the Openfort API. API keys are used to authenticate these requests.

Project secret and publishable keys#

All accounts have a total of four API keys by default—two for test mode and two for live mode:

  1. Test project secret key: Use this key to authenticate requests on your server when in test mode. By default, you can use this key to perform any API request without restriction.
  2. Test project publishable key: Use this key for testing purposes in your web or mobile app's client-side code.
  3. Live project secret key: Use this key to authenticate requests on your server when in live mode. By default, you can use this key to perform any API request without restriction.
  4. Live project publishable key: Use this key, when you're ready to launch your app, in your web or mobile app's client-side code.

Shield secret and publishable keys#

All accounts have a total of three API keys by default for Shield functionality:

  1. Shield secret key: Use this key to store the recovery share of your users on server.
  2. Shield publishable key: Use this key, when you're ready to launch your app, in your web or mobile app's client-side code.
  3. Shield encryption share key: Only used whenever you're using the automatic recovery to encrypt the recovery share.
Type Value When to use
Secret

On the server-side: Must be secret and stored securely in your web or mobile app's server-side code (such as in an environment variable or credential management system) to call Openfort APIs. Don't expose this key on a website or embed it in a mobile application.

Publishable

On the client-side: Can be publicly-accessible in your web or mobile app's client-side code (such as openfort-js).

Reveal an API secret key in your dashboard#

Openfort APIs use your secret key to authenticate requests from your server. To find your API secret key for test mode:

  1. Open the API keys page.
  2. Under API keys, in the Secret key row, click Reveal test key and save the value.

Regenerate API keys#

Regenerating API keys

Regenerating an API key will invalidate the current key and generate a new one. This action cannot be undone. If you have set up webhooks or registered a Shield project with the key, you will need to update them with the new key.

Openfort supports the ability to regenerate, delete and create API keys. You can do this at any time in the API keys section of the dashboard.

  • Delete and regenerate API keys:
generate-delete-api-keys
  • Generate new API keys: You can create multiple API keys when you're planning to generate a new one to avoid disruption to your integration.
generate-api-keys

Limit API keys interaction by IP#

Openfort supports limiting the IPs that can interact with Openfort services using specific API keys.

To enable this, navigate to the API keys section of the dashboard and press the three dots next to the secret key.

A new page will appear with an option Whitelist IPs like so:

whitelist-ips

You can then add multiple IPs per single secret key.

If you try to make a request from an unauthorized IP, you will receive a Forbidden error like so:


_10
{
_10
"error": {
_10
"type": "invalid_request_error",
_10
"message": "Access is limited for this address"
_10
}
_10
}