Skip to content

How to Protect Your API Keys

Keeping your API keys secure is essential. Here are three main ways to protect them:

  • Restrict access to your API keys.
  • Use sponsorship policies.
  • Use a proxy server to handle requests to Pimlico.

Restrict Access to Your API Keys

You can limit how your API keys are used by modifying their permissions on the API Keys page. Restrictions can include:

  • IP addresses: Specify which IPs are allowed to make requests.
  • User agents: Limit access to specific browsers, SDK versions, or other user agents.
  • Origins: Define which domains are permitted to make requests.

Additionally, you can enable or disable specific API features for each key, such as:

  • Bundler methods.
  • Paymaster methods.
  • Account APIs.

Use Sponsorship Policies

Sponsorship Policies are hosted policies that allow you to define custom rules for sponsorships.

You can put limits to the global amount of sponsorships, the amount of sponsorships per user, and per user operation.

You can read more about Sponsorship Policies here.

Use a Proxy Server

You can create a proxy server to handle requests to Pimlico. This way, you can have custom authentication, rate limiting, and other features before forwarding requests to Pimlico.

Here's an example of how you can create a proxy server for fastify and express:

fastify.ts
import Fastify from 'fastify'
import proxy from '@fastify/http-proxy'
 
const fastify = Fastify({ logger: true })
const PIMLICO_API_KEY = process.env.PIMLICO_API_KEY
 
// Middleware to check authentication
fastify.addHook('preHandler', async (request, reply) => {
  const authHeader = request.headers.authorization
  
  if (!authHeader || !isValidAuth(authHeader)) {
    reply.code(401).send({ error: 'Unauthorized' })
  }
})
 
// Setup proxy to Pimlico API
fastify.register(proxy, {
  upstream: `https://api.pimlico.io/v2/137/rpc?apikey=${PIMLICO_API_KEY}`,
  prefix: '/api/proxy',
  rewriteRequestHeaders: (req, headers) => ({
    ...headers,
  })
})
 
// Start server
fastify.listen({ port: 3000 }, (err) => {
  if (err) {
    fastify.log.error(err)
    process.exit(1)
  }
})
 
// Helper function to validate auth
function isValidAuth(authHeader: string): boolean {
  // Implement your authentication logic here
  return true
}