Skip to main content

API Keys

API Keys are required to use thirdweb’s infrastructure services including Storage, RPC Edge, Smart Wallets, and Embedded Wallets.

API Keys allow you to:

  • Upload and download assets to IPFS using Storage via dashboard, CLI, or SDKs
  • Use a dedicated RPC Edge service in your application
  • Use Bundler & Paymaster services for your Smart Wallets
  • Enable various services such as signing in with Google, Facebook, Apple, Email, and Custom JWT when using Embedded wallets.

API Keys consists of two components:

  • Client ID- Used to access the enabled thirdweb infrastructure services and identify your application using an app bundle ID (identifier for native apps) or domain (identifier for websites). Client IDs can be restricted to allow only specified domains and app bundle IDs to access the enabled services.
  • Secret Key- Used to access the enabled thirdweb infrastructure services by identifying and authenticating your application from a backend. Sharing or exposing this key to others is unsafe because it grants access to all services.

Create an API Key

To create an API key:

  1. Log in to the dashboard and navigate to Settings > API Keys view.

  2. Select Create API Key

    Create an API key selector in thirdweb dashboard settings

  3. Assign a descriptive name to the API Key.

  4. Input the domains you want to restrict your application to in Allowed Domains then select Next. Restricting domains is highly recommended for any applications with client-side code or frontend applications.

    1. Authorize all domains by selecting the checkbox or inputting * into the text field
    2. Authorize local URLs with localhost:<port>

    Text field on modal to enter a descriptive name and allowed IDs for newly created API key

  5. Store your secret key in a secure location and confirm that you have stored it by checking the checkbox then select Complete.

    Modal with newly created Client ID and Bundle ID

    danger

    Do not share secret keys. They grant access to all thirdweb services. Secret keys should only be used in backend environments like CLI, scripts, and servers. Never expose secret keys in client-side code due to the lack of access restrictions.**

Edit enabled services on API Keys

All services on API keys are enabled by default. If you want to disable any services or edit settings for each service:

  1. Navigate to Settings > API Keys on the dashboard.

  2. Choose the API Key from which you want to enable or disable a Service.

    API Key dashboard with selected key highlighted

  3. Select Edit to enter the editor view.

    Edit button to switch into editor mode on API key dashboard

  4. Navigate to the Services section and enable the service and modify any services as needed.

    All selected and enabled services on thirdweb dashboard

  5. Save changes.

Use API keys in your application

When writing backends or scripts, you can use the secret key to instantiate the SDK:

// Read-only mode
const readOnlySdk = new ThirdwebSDK("goerli", {
  secretKey: "YOUR_SECRET_KEY", // Use secret key if using on the server, get it from dashboard settings
});

When using the Typescript SDK for frontend applications, use the client id:

import { ThirdwebSDK } from "@thirdweb-dev/sdk";
// Read-only mode
const readOnlySdk = new ThirdwebSDK("goerli", {
  clientId: "YOUR_CLIENT_ID", // Use client id if using on the client side, get it from dashboard settings
});

Delete an API Key

To delete an API key:

  1. Navigate to Settings > API Keys on the dashboard.

  2. Choose the API Key you want to delete.

    API Key dashboard with selected key highlighted

  3. To delete an API key, select Delete key and confirm your intention to delete the key. The key will then be deleted.

    Prompt to ask if you are sure you want to delete a key

Deleting an API key will invalidate it, making it no longer usable.

Access Restrictions

API Keys provide two forms of access restrictions:

  • Domain IDs: A domain ID is used to restrict access to the enabled thirdweb infrastructure services based on a specific domain. It serves as an identifier for websites.
  • Bundle IDs: A bundle ID is a unique identifier used to restrict the Client ID to your Unity native or mobile application.

To modify the allowed Domain Id or Bundle Ids:

  1. Navigate to Settings > API Keys on the dashboard.

  2. Choose the API Key you want to modify restrictions on.

    API Key dashboard with selected key highlighted

  3. Select Edit to enter editor mode.

    Edit button to switch into editor mode on API key dashboard

  4. Enter the allowed domains the "Allowed Domains" field or switch to Bundle IDs to enter allowed Bundle IDs.

    Edit the allowed domains for your API keys

  5. Save changes.

Services

Storage

By default, Storage services are enabled upon creation of the API Key.

Storage provides two sub-settings enabled by default on API Key creation.

  • Upload - Enable uploading to Storage
  • Download - Enable downloading from Storage

To disable Upload or Download:

  1. Navigate to Settings > API Keys
  2. Toggle the checkboxes in the Services > Storage settings

RPC Edge

By default, RPC Edge services are enabled upon creation of the API Key.

To use RPC Edge in your application, see our RPC Edge QuickStart article.

Smart Wallets

By default, Smart Wallet services are enabled upon creation of the API Key.

Smart Wallet Destination Address A smart wallet destination address is allowed to send transactions to or interact with. These addresses can be smart contracts, EOAs (Externally Owned Accounts), or other smart wallet addresses. This feature is useful for restricting the smart wallet to only send transactions to your own contracts.

To restrict the contracts that Smart Wallet can interact with:

  1. Navigate to Settings > API Keys

  2. Locate Smart Wallet under Services

  3. Input the contract address(es) into the 'Allowed Contract Addresses' field.

    Highlighted contract address for Smart Wallet API keys

  4. Save your new settings by selecting Save

Embedded Wallets

By default, Embedded Wallet services are enabled upon creation of the API Key.

FAQs

Is the API Key free to use?

Yes, API Keys are free to create and use.

Can I use thirdweb SDKs without an API key?

Yes, you can use thirdweb SDKs without an API key to override the default infrastructure. You will need to provide and pass in your own services to the SDKs.

How do I get my bundle Id for a Unity Native or mobile (React Native) application?

If you are developing a Unity native or mobile application, you will need to obtain a bundleId to restrict the Client ID to your application.

  • Unity Native, use either of the following options:

    • Log Utils.GetBundleId().
    • Check the platform-specific options in your Project Settings. It is usually formatted as com.companyName.productName based on your top-level Project Settings.

  • Mobile (React Native)

    • Android

      • Open the file <Project>/android/app/build.gradle and search for the term applicationId:
        android {
            defaultConfig {
            applicationId "com.example.yourproject"
            ...
            }
          }

    • iOS

      • Open the file <Project>/ios/<Project>/Info.plist and search for CFBundleIdentifier:
        <key>CFBundleIdentifier</key>
        <string>com.example.yourproject</string>

    • Programmatically retrieve bundleId for iOS or Android

      • Use the expo-application package from the @thirdweb-dev/react-native sdk

        import * as Application from "expo-application";

        const bundleId = Application.applicationId;