Skip to main content

API Keys

Introduction

Immutable authenticates and authorises your Immutable zkEVM API requests using your environments' API keys.

Types of Keys and when to use them

💡Note
In the Developer Hub, you can create multiple projects, and in each project you can create multiple environments. There is a limit of 1 Secret API Key and 1 Publishable Key per environment.

Immutable offers two types of keys:

  1. Publishable Key, and
  2. Secret API Key
TypeValueWhen to use
Publishable KeyA string that starts with pk_imapik-Publishable Keys are used to identify your integration for tracking and analytics purposes. It's not a secret key and is safe for client-side applications, like web browsers, mobile applications and game clients as it is designed to be publicly safe and anonymous.
Secret API KeyA string that starts with sk_imapik-Secret API Keys are used to authenticate and authorise your backend integrations with Immutable. Don’t expose this key on a website or embed it in a game client or mobile application.

To differentiate between testnet and mainnet keys, testnet keys start with pk_imapik_test- and sk_imapik_test- respectively.

💡Caution

Keep your secret API key safe

Anyone can use your secret API key to perform "write" API calls, such as refreshing your asset metadata. You can keep your key safe by following these best practices:

  • Access to the secret API key should only be given to those who need it.
  • Don’t store your secret API key in a version control system.
  • Your secret API key should be stored in a password manager or secrets management service. And used via environment variables or the like.
  • Don’t use your secret API key where it could be exposed to an attacker, such as in a game client, mobile or web application.

Creating and Managing API keys

You can create and manage your keys in the Immutable Hub. The Immutable Hub serves as a portal for creating, displaying, and refreshing API keys. Navigate to the "API Keys" menu item within your chosen project and environment to manage your API keys.

Hub API keys page

How to use API Keys

Using the Publishable Key

What is the Publishable Key for?
Publishable Keys are used to identify your integration for tracking and analytics purposes. It's not a secret key and is safe for client-side applications, like web browsers, mobile applications and game clients as it is designed to be publicly safe and anonymous.
const baseConfig = {
environment: config.Environment.PRODUCTION,
publishableKey: YOUR_PUBLISHABLE_KEY, // Replace with your Publishable Key from the Immutable Hub
};

Using the Secret API Key

What is the Secret API Key for?
Secret API Keys are used to authenticate and authorise your backend integrations with Immutable. Don’t expose this key on a website or embed it in a game client or mobile application.
import { config, blockchainData } from '@imtbl/sdk';

const client = new blockchainData.BlockchainData({
baseConfig: {
environment: config.Environment.PRODUCTION,
apiKey: YOUR_SECRET_API_KEY,
publishableKey: YOUR_PUBLISHABLE_KEY,
},
});

List of endpoints that require Secret API Key authorization

NameEndpointMethodType
Refresh Stacked metadata/v1/chains/{chain_name}/collections/{contract_address}/metadata/refresh-metadataPOSTMetadata Refresh
Refresh NFT metadata/v1/chains/{chain_name}/collections/{contract_address}/nfts/refresh-metadataPOSTMetadata Refresh

How to refresh Secret API Keys

You can refresh your Secret API keys in the Immutable Hub. Once you create a Secret API key, you will get options to reveal, copy or refresh right next to it. Note that when you refresh a Secret API Key, the existing key will stop working.

Rate Limits

RPC calls to the default zkEVM RPC are rate limited. You can use your API key to increase this rate limit.

Default Rate Limit

If a request to the RPC endpoint does not include an x-api-key header, it is subject to the default rate limit.

The default rate limit is set to 1500 calls per 5 minutes, which equates to an average of 5 calls per second.

Rate Limit with x-api-key

If an x-api-key header is included in the RPC request (as a partner), the rate limit is determined by the associated partner usage plan. These limits are typically higher.

Invalid x-api-key

If the provided x-api-key in the request header is invalid (e.g., non-existent or malformed), the request will be rejected with a 403 Forbidden response.