API keys are required to authorize requests against the Crossmint HTTP APIs. By using an API key, Crossmint knows which project is making the call, and can deduct credits off your quota.

Each API key can have one or more scopes, which indicate the permissions the key has to access or modify your project resources. Refer to the API Reference guide for more information on how to use them.

Most API keys are server-side only and must be stored securely

Enable only the scopes you need, and no more, and do NOT expose your keys on the frontend of your app, or your github code repository.

Crossmint offers two different types of API Keys. They are, Client-side API key and Server-side API key.

Client-side API keys are used in code that runs on the client-side, such as in web browsers or mobile apps. These keys are exposed to the end user and are therefore less secure. They typically have more restrictive permissions to minimize security risks. When creating a client-side API key, you also need to configure authorized origins that are allowed to make calls to the endpoint.

Server-side API keys are used in server-to-server communications or in code running on a server. These keys are not exposed to the end users and can have broader permissions because they are considered more secure, being stored and used in controlled environments.

Using the API Keys

See all the API scopes

For a full list of scopes, visit the API reference or the API keys console tab.