search

Authentication

hashtag
Overview

The Issuance and Redemption API uses a two-step authentication process:

  1. API Key Authentication: Your partner API key identifies your organization

  2. JWT Token Authentication: JWT tokens authorize operations for specific wallet addresses

hashtag
API Key Authentication

hashtag
API Key Format

<keyId>.<secret>

Components:

  • keyId: Public identifier (e.g., partner_abc123)

  • secret: Private secret (e.g., sk_live_1234567890abcdef)

hashtag
Using API Keys

API keys are used only for JWT token issuance and refresh operations.

Header Format:

X-API-Key: <keyId>.<secret>

Endpoints that accept API keys:

  • POST /token - Issue new JWT token (modern)

  • POST /token/refresh - Refresh JWT token (modern)

hashtag
Obtaining an API Key

To request a partner API key, contact [email protected] with:

  • Your organization name

  • Use case description

  • Expected transaction volume

  • Technical contact information

hashtag
API Key Security

  • Store API keys in environment variables or secret management systems

  • Never commit API keys to version control

  • Rotate API keys regularly

hashtag
JWT Token Authentication

hashtag
Token Structure

JWT tokens are RS256-signed JSON Web Tokens containing:

Key Claims:

  • sub: Wallet address (lowercase)

  • exp: Expiration timestamp (1 year from issuance)

  • verified_credentials: Array of verified wallet addresses

  • azp: Partner ID

  • https://universal.xyz/partner_id: Your partner identifier

  • https://universal.xyz/type: User type (B2B for partners)

hashtag
Obtaining JWT Tokens

Request:

Response:

hashtag
Using JWT Tokens

Include the JWT token in the Authorization header for all API requests:

Example:

hashtag
Token Validation

The API validates:

  • ✅ Token signature using RS256 algorithm

  • ✅ Token expiration (exp claim)

  • ✅ Issuer (iss claim)

  • ✅ Audience (aud claim)

  • ✅ Wallet address matches verified credentials

  • ✅ User wallet status is active

hashtag
Wallet Address Binding

Important: Each JWT token is bound to a specific wallet address. All operations performed with that token will be associated with the wallet address specified in the sub claim.

To use multiple wallet addresses:

hashtag
Token Refresh

Refresh tokens before expiration to maintain uninterrupted access:

Request:

Response:

hashtag
Error Responses

hashtag
Invalid API Key

hashtag
Malformed API Key

hashtag
Expired JWT Token

hashtag
Invalid JWT Token

hashtag
Inactive Wallet

hashtag
Best Practices

  1. Token Caching: Cache JWT tokens and reuse them until near expiration

  2. Proactive Refresh: Refresh tokens before they expire (e.g., when 90% of lifetime has elapsed)

  3. Error Handling: Implement retry logic for 401/403 errors after token refresh

  4. Secure Storage: Store tokens securely, never in client-side JavaScript

  5. HTTPS Only: Always use HTTPS for API requests

  6. Wallet Management: Track which token corresponds to which wallet address

hashtag
Next Steps

  • Mint API - Create deposit addresses and issue universal tokens

  • Burn API - Redeem universal tokens to native chains

  • Examples - Complete authentication examples

PreviousIntegrate the Issuance & Redemption Universal APINextBurn API

Last updated