Skip to content
DocumentationGetting StartedAPI Keys

API Keys

API keys are how your resource identifies itself to us for authentication and rate limiting purposes. If you do not use an API key, your client will be considered “anonymous” and subject to significantly lower rate limits. You can learn how to attach an API key to your requests by using the snippets on the detail page of any resource.

As a general rule, you should only have one API key at a time per resource. Aptos Build lets you create multiple keys for a single resource purely to enable key rotation in case a key is leaked.

Client Usage

When creating a new API key you will be prompted to decide whether it is intended for client usage or not. Client usage implies any context where the API key is exposed to the public, e.g. a dapp, a mobile app, or a browser extension. If you will only use the API key in a private, backend context, you do not need to worry about this.

If you select “Client Usage” you will be prompted to provide a set of approved URLs and/or extension IDs. We will confirm that the Origin of the request matches one of the approved URLs or extension IDs.

When using a client key you must also set a per-IP limit. This is useful to ensure that no single user of your app can accrue too much usage, e.g. 10,000 CUs per 5-minute window. This can help prevent abuse.

Learn more about billing and system limits here.

Key Types

To help you manage your keys correctly, you’ll notice that keys intended for client usage have a different format than keys intended for backend usage:

  • Server: Used from a private backend. Keep these secret. Example: aptoslabs_aXjFX8fDdZv_AXMynDZvp711WTBpSBmqLyj12RV9RFA6B
  • Client: Used from a public frontend. We perform additional checks and analytics to ensure the use of these IDs is authentic. Example: AG-FL4PYMZ1YX1LGAJCWP2R1ACYTYRCBY1GB

Anonymous Requests

Certain Aptos Build services (e.g. the node and indexer APIs) allow unauthenticated requests, also known as anonymous requests. When no key is provided, ratelimiting is applied on a per-IP per-origin basis. Anonymous limits are significantly lower than authenticated limits.

BillingFAQ