API keys are required to authorize requests against the Crossmint APIs. By using an API key, Crossmint knows which project is making the call, and can deduct credits from your balance.

Staging vs. Production Keys

First, determine if you need a staging (testing) or production API key.

Staging API Keys

Generate API keys for testing in the staging developer console

Production API Keys

Generate API keys for going live in the production developer console

Server-side vs. Client-side Keys

Server-side API keys are used in server-to-server communications or in code running on a server. These keys are not exposed to the end users and can have broader permissions because they are considered more secure, being stored and used in controlled environments.
The majority of Crossmint APIs require a server-side API key. For a comprehensive list of APIs available refer to the API Reference.
Client-side API keys are used in code that runs on the client-side, such as in web browsers or mobile apps. These keys are exposed to the end user and are therefore less secure. They typically have more restrictive permissions to minimize security risks. When creating a client-side API key, you also need to configure authorized origins that are allowed to make calls to the endpoint.
Client-side keys are required for building with the Wallets SDK, Authentication, and Headless Checkout.You can also perform some custodial wallet actions with these key types. Finally, the Verifiable Credentials SDK also offers some features via client-side keys.

More information

Rate Limits

Information about standard rate limits and exceptions

API Scopes

Complete list of available API scopes

Server-side Keys

How to create and use server-side API keys

Client-side Keys

How to create and use client-side API keys