Caution: Losing control of your API key can result in financial loss.
You can use API keys and client keys to authenticate requests to Circle's APIs. Use API keys to authenticate and authorize calls to Circle’s APIs from your backend services. Use Client keys to authenticate and authorize calls to Circle's APIs from your frontend apps, exposed sites, and other public interfaces. This document explains their differences, usage, and security best practices.
The table below highlights the purpose of API keys and client keys.
Purpose | API Key | Client Key |
---|---|---|
Usage | Authenticates and authorizes access to Circle W3S RESTful APIs from backend systems. Not safe for public sharing. | Authenticates your client application and grants limited access to Circle's RESTful APIs. Typically used with Circle's SDKs. |
Ideal for | Services from your backend that leverage Circle's APIs. | Frontend applications (for example, web or mobile apps) using Circle's serverless SDKs. |
Where to use | Required for serverless cloud apps, micro-services, and client apps to make secure calls to Circle's APIs. | Required for client applications to make secure calls to Circle's services. |
The table below lists which Circle products require API keys or client keys.
Product/Service | API Key | Client Key |
---|---|---|
Modular Wallets | ✅ For retrieving transfer and UserOps data from Circle Indexing Service via RESTful APIs | ✅ For Modular Wallets SDKs |
User-Controlled Wallets | ✅ | ❌ |
Developer-Controlled Wallets | ✅ | ❌ |
Contracts | ✅ | ❌ |
An API key is a unique string used to authenticate and enable access to privileged operations on Circle’s APIs. It’s required for any RESTful API requests to Circle services. Without it, requests will fail.
API keys allow access to sensitive operations, so they must be secured.
Caution: Losing control of your API key can result in financial loss.
You can use the headers below to authenticate requests on testnet or mainnet, respectively.
TEST_API_KEY and LIVE_API_KEY
The strings TEST_API_KEY
and LIVE_API_KEY
are essential components of an API
key. You must include these strings when passing API keys to access Circle's
services.
authorization: Bearer TEST_API_KEY:ebb3ad72232624921abc4b162148bb84:019ef3358ef9cd6d08fc32csfe89a68d
authorization: Bearer LIVE_API_KEY:ebb3ad72232624921abc4b162148bb84:019ef3358ef9cd6d08fc32csfe89a68d
To verify your API key setup, you can use the following curl
command, for
example, to retrieve wallets:
curl --request GET \
--url https://api.circle.com/v1/w3s/wallets \
--header 'accept: application/json' \
--header 'authorization: Bearer <API_KEY>'
{
"data": {
"wallets": []
}
}
{
"code": 401,
"message": "Malformed authorization. Are the credentials properly encoded?"
}
A client key is a unique string used to authenticate and authorize API access for customer applications leveraging Circle's SDKs. A client key is linked to a specific domain host (for websites), a bundle ID (for iOS mobile), or a package name (for Android mobile), ensuring access is restricted to preconfigured applications.
Note: A client key must be included in the headers of all Modular Wallets SDK API calls.
Client keys enable access to sensitive application operations, so it’s critical to protect them. Follow these best practices to ensure their security: