Skip to main content

Authentication

Urblock uses two authentication methods depending on the context: API keys for programmatic access and JWTs for dashboard sessions.

Choosing a Method

Use API keys for server-to-server integration (backends, scripts, CI). Use JWT only for the dashboard UI or when managing API keys programmatically.

API Keys (Resource Endpoints)

All resource endpoints (/v1/tokens, /v1/transactions, /v1/connect, etc.) use API key authentication.

Authorization: Bearer sk_test_abc123...
Key TypePrefixEnvironmentPermissions
Secret key (test)sk_test_TestnetRead + Write
Secret key (live)sk_live_MainnetRead + Write
Publishable key (test)pk_test_TestnetRead only
Publishable key (live)pk_live_MainnetRead only

Write operations (deploy, mint, transfer, burn, pause, etc.) require a secret key (sk_). Read-only operations (list, get, balance, etc.) accept either secret or publishable keys.

SDK Example

import { Urblock } from "@urblock/sdk";

// API key from environment
const urblock = new Urblock(process.env.URBLOCK_API_KEY); // sk_test_... or sk_live_...

// All SDK calls use this key automatically
const tokens = await urblock.tokens.list();

curl Example

curl https://api.urblock.io/v1/tokens \
  -H "Authorization: Bearer sk_test_abc123..."

JWT (Dashboard Endpoints)

Dashboard endpoints (/auth/*, /v1/api_keys) use JWT bearer tokens:

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Full Auth Flow

// 1. Login to get tokens
const auth = await urblock.auth.login({
  email: "dev@example.com",
  password: "secure-password",
});
// auth = { access_token: "eyJ...", refresh_token: "eyJ...", expires_in: 3600 }

// 2. Use access token for dashboard operations
const keys = await urblock.apiKeys.list();

// 3. Refresh before expiry
const refreshed = await urblock.auth.refresh({
  refresh_token: auth.refresh_token,
});

Token Lifecycle

TokenTTLUsage
access_token1 hourAuthenticates dashboard requests
refresh_token7 daysObtains new access tokens
warning

Store refresh tokens securely. They can be used to generate new access tokens without credentials.

Scopes

API keys can be restricted to specific scopes for the principle of least privilege:

ScopeDescription
tokens:readList and retrieve tokens
tokens:writeDeploy, pause, unpause tokens
wallets:readList and retrieve wallets
wallets:writeCreate wallets
transactions:readList and retrieve transactions
transactions:writeMint, transfer, burn, approve
nfts:readList and retrieve NFTs
nfts:writeNFT operations
identities:read / identities:writeT-REX identities
compliance:read / compliance:writeT-REX compliance
governance:read / governance:writeGovernance operations
roles:read / roles:writeRole management
vesting:read / vesting:writeVesting operations
vaults:read / vaults:writeVault operations
webhooks:read / webhooks:writeWebhook management
events:readEvent reading
gas_estimates:readGas estimation
batch:writeBatch operations
networks:readNetwork listing

Omitting scopes grants full access.

Scope Example

// Create a read-only key for monitoring
const monitorKey = await urblock.apiKeys.create({
  name: "monitoring-readonly",
  scopes: ["tokens:read", "transactions:read", "wallets:read", "events:read"],
});
// This key can list resources but cannot deploy, mint, or transfer

Error Codes

CodeHTTPMeaning
unauthorized401Missing or invalid API key / JWT
token_expired401JWT access token has expired
invalid_credentials401Wrong email or password
forbidden403Key lacks required scope
key_expired403API key past expires_at
ip_not_allowed403Request IP not in allowed_ips

Best Practices

  1. Never expose secret keys — use pk_ keys in client-side code
  2. Use scoped keys — grant only the permissions each service needs
  3. Rotate keys regularly — use the rotate endpoint for zero-downtime rotation
  4. Set expiration — use expires_at for temporary or CI/CD keys
  5. Restrict IPs — use allowed_ips for production secret keys
  6. Use environment variables — never commit keys to source control

Next Steps