Caution: Losing control of your API key can result in financial loss.
You can use API keys and client keys to authenticate requests to Circle's APIs. Use API keys to authenticate and authorize calls to Circle’s APIs from your backend services. Use Client keys to authenticate and authorize calls to Circle's APIs from your frontend apps, exposed sites, and other public interfaces. This document explains their differences, usage, and security best practices.
The table below highlights the purpose of API keys and client keys.
| Purpose | API Key | Client Key |
|---|---|---|
| Usage | Authenticates and authorizes access to Circle W3S RESTful APIs from backend systems. Not safe for public sharing. | Authenticates your client application and grants limited access to Circle's RESTful APIs. Typically used with Circle's SDKs. |
| Ideal for | Services from your backend that leverage Circle's APIs. | Frontend applications (for example, web or mobile apps) using Circle's serverless SDKs. |
| Where to use | Required for serverless cloud apps, micro-services, and client apps to make secure calls to Circle's APIs. | Required for client applications to make secure calls to Circle's services. |
The table below lists which Circle products require API keys or client keys.
| Product/Service | API Key | Client Key |
|---|---|---|
| Modular Wallets | ✅ For retrieving transfer and UserOps data from Circle Indexing Service via RESTful APIs | ✅ For Modular Wallets SDKs |
| User-Controlled Wallets | ✅ | ❌ |
| Developer-Controlled Wallets | ✅ | ❌ |
| Contracts | ✅ | ❌ |
An API key is a unique string used to authenticate and enable access to privileged operations on Circle’s APIs. It’s required for any RESTful API requests to Circle services. Without it, requests will fail.
API keys allow access to sensitive operations, so they must be secured.
- Avoid public exposure. Never share API keys or include them in client-side code, public repositories, or other public mediums.
- Manage securely. Use your Circle Developer account to generate and manage API keys. When generating a key, copy it exactly as displayed.
You can use the headers below to authenticate requests on testnet or mainnet, respectively.
TEST_API_KEY and LIVE_API_KEY
The strings TEST_API_KEY and LIVE_API_KEY are essential components of an API
key. You must include these strings when passing API keys to access Circle's
services.
Text
authorization: Bearer TEST_API_KEY:ebb3ad72232624921abc4b162148bb84:019ef3358ef9cd6d08fc32csfe89a68d
Text
authorization: Bearer LIVE_API_KEY:ebb3ad72232624921abc4b162148bb84:019ef3358ef9cd6d08fc32csfe89a68d
To verify your API key setup, you can use the following curl command, for
example, to retrieve wallets:
Shell
curl --request GET \
--url https://api.circle.com/v1/w3s/wallets \
--header 'accept: application/json' \
--header 'authorization: Bearer <API_KEY>'
Successful Response Example
JSON{
"data": {
"wallets": []
}
}
Error Response Example
JSON{
"code": 401,
"message": "Malformed authorization. Are the credentials properly encoded?"
}
A client key is a unique string used to authenticate and authorize API access for customer applications leveraging Circle's SDKs. A client key is linked to a specific domain host (for websites), a bundle ID (for iOS mobile), or a package name (for Android mobile), ensuring access is restricted to preconfigured applications.
Note: A client key must be included in the headers of all Modular Wallets SDK API calls.
Client keys enable access to sensitive application operations, so it’s critical to protect them. Follow these best practices to ensure their security:
- Use separate keys for each application. Create separate keys for web and mobile apps (iOS, Android, etc.) to prevent shared vulnerabilities.
- Monitor for misuse. Set up alerts for unusual activity, such as unexpected spikes in API calls, using monitoring tools to detect anomalies.
- Rotate keys regularly. Regenerate client keys periodically and update them in your apps to reduce risk if a key is compromised.
- Store keys securely. Use secure storage options like Local Storage or Secure Storage for mobile apps, and avoid unnecessary exposure.
- Restrict access. Limit the scope of client keys by associating them with specific apps or domains to minimize potential misuse.
Did this page help you?
© 2023-2025 Circle Technology Services, LLC. All rights reserved.
