Overview
CryptoMate’s authentication system relies on API keys to verify your application’s identity and authorize its interactions with the platform. Every request to the API must include a valid API key, which governs access control and security policies.
Key management
API keys can be generated, edited, rotated, and revoked from the CryptoMate Portal. Each key operates independently, so you can manage its lifecycle without affecting other integrations.
Rotate keys periodically and revoke any that are no longer in use to minimize exposure.
Permission control
Each API key supports feature-level permission configurations, enabling granular, least-privilege access control. Typical patterns:
- Read-only keys for reporting and analytics
- Restricted keys scoped to a specific product or feature
- Full-access keys for trusted backend services
IP address restrictions
API keys can be configured with an IP allowlist to limit requests to specific addresses or CIDR ranges.
- Only approved IP sources are accepted
- Requests from any other IP are rejected automatically
- Restrictions can be updated at any time without regenerating the key
This protects you from:
- Accidental key exposure
- Unauthorized access from unknown sources
- Enforcement of network-level security policies
Using your API key
Include your API key in every request through the X-API-KEY header:
curl https://api.cryptomate.me/v1/... \
-H "X-API-KEY: <your-api-key>"
Never embed API keys in client-side code or commit them to source control. Use environment variables or a secret manager.
