Best Practices


Lets get off to a great start!

Crossmint’s Minting API abstracts out the technical complexities of creating and delivering NFTs at scale to your users. To deliver an outstanding user experience, we recommend that you keep in mind the following best practices when planning your NFT project..

What will we cover in this document?


Secure practices for API key management

Your Crossmint API key is very powerful. It allows you to mint new NFTs, and also to edit them.

To prevent malicious agents from compromising your project:

  • Never share these keys with others, nor using non encrypted channels
  • Never commit these keys in code that is saved to version control, like Git. Instead, use environment variables
  • Never use these keys from the client side / front end of your website. These keys should only be used from the server side.

If your API key gets compromised, go to, API keys, delete it and generate a new one. Your new key will still be able to interact with your existing NFT collections, whilst the old one will remain unusable.

Choosing the right media

Most NFTs contain an image or video as a cover, and customers oftentimes access them from low bandwidth environments such as mobile phones. It’s important to pick the right format, encoding and resolution, that strike the right balance between quality and loading speed.When choosing the right media, here are some considerations:

  • Choose a codec that is web-friendly, widely compatible, and has high quality with low sizes. For images, we recommend PNG or webp, and for video, MP4.
  • Pick the lowest resolution possible that suits your audience and use case. 1024x1024 pixels would look crisp enough for a full screen image on an iPhone, for example; however if you’re encoding high quality digital art or NFTs that are meant to be printed, you can use higher resolutions.
  • Watch out for big file sizes. If your audience is mostly mobile, aim for no more than 300KB for image, and 5MB for video, if you want fast loading times. For desktop, you can increase them by a factor of 2 or 3x.

Ensure your metadata is standard compliant

Forming your metadata starts with knowing which chain you want to use with the Minting API. Different blockchains and token types have different standards. By respecting the standard, you will ensure that your NFTs will be compatible with other apps such as marketplaces, wallets, etc.

To be compliant, check out our metadata guide and then create a few NFTs in staging and validate that they work well in other applications.


Need to modify metadata but you have already minted?

You can use the Update Metadata API method to change the metadata URI associated with the NFT.


Once you know what your media and metadata looks like you should test on staging. This will ensure everything works as expected and avoid costs for mainnet usage. We have a handy quickstart guide that can help you set up and deploy your project:

You can also use our built in API Reference to call our API functions from your browser, no code required.

Bot prevention

You want your carefully designed NFTs to end up in the hands of your most loyal customers. However, if you’re not careful, they could end up in the hands of “bots” who, through automation, can trick your code into giving them your NFTs.

The Crossmint API uses smart contracts that can’t be botted at the blockchain level. Only you, with your API key, can choose who receives an NFT. In order to prevent bots from taking all your NFTs, you must think carefully about the mechanism you’re using to allow your users to request and receive an NFT.

You have to make sure that your NFT is not attractive to bots. To do so, below are some suggestions:

  • Require payment or some other proof (e.g. being a loyal client of yours) before you call the Mint API for a user
  • Add ReCaptcha or equivalent anti-bot challenges to your forms to claim an NFT
  • Require email verification or user login
  • Leverage authentication services such as Stytch
  • Use anti fraud providers such as Sift science to detect “bot-like” activity in your website, and don’t allow them to get your NFTs
  • IP rate limiting
  • IP blocking high-risk countries
  • Geofencing your activation
  • Blocking emails to aliases (+) ([email protected], [email protected], etc.)
  • Honey-pot hidden form fields that bots will detect and fill out but humans can’t see
  • Disallow disposable emails from minting your NFTs. A good source of disposable domains can be accessed here.

It’s important that you spend some time thinking about how attractive your project is for bad actors, and that based on that, you prioritize the right amount of effort to putting safeguards in place.

Minting NFTs & Collection Creation

You can easily get your project minting by using the routes listed on our API reference

To ensure that everyone has a blazing fast experience across our minting API, we have set up rate-limits at pre-determined intervals and will continue to raise these limits in the future.

You can view the specific limits in this article: Rate Limits

We recommend you check for 429 (too many request) errors. If you hit a 429 error, this means you are minting too many NFTs or collections too fast! If so, we recommend you slow down before sending out another request. For your convenience, we send an epoch in the 429 response that you can safely retry on.

Correctly listen to NFT mint completion events

NFTs can take a few seconds, or sometimes even minutes, to mint in the Blockchain. Oftentimes you will want to listen to mint completion events, for things such as: (1) notifying your customers via email that their NFT is ready to access, (2) updating your database with the NFT id for the user, (3) showing a mint successful UI in your website, etc.

The recommended approach to listen to NFT completion events is to listen to mint completion Webhooks from your own server. To do so, follow the Webhooks guide.

If your server can’t accept webhooks, or you prefer a simpler approach, you can also periodically poll for NFT status using the get NFT status API. Whilst this approach is not recommended, it sometimes can be an easier way to get the job done. If you use this API, keep the following things in mind:

  • We recommend you delay GET requests for newly placed requests by at least 5 seconds, and you do retries at the same rate. Although our API is blazing fast, we are at the mercy of the blockchain and hammering the API will not make it faster!
  • Check for 429 (too many request) errors. If you hit a 429 error, this means you are polling our server too fast! If so, we recommend you slow down before re-polling. For your convenience, we send an epoch in the 429 response that you can safely retry on.