Skip to main content
The headless checkout supports both server-side and client-side API keys. It’s important that you select the right key for your implementation.

When to use a server-side API key

  • Testing in the API Playground of the documentation
  • Testing with cURL requests or running scripts from your command line
  • Building applications that make API calls to your own backend, which then make the actual API call to Crossmint
The key consideration here is if the API request is coming from a server environment.

Server Side Example Code

route.ts (server-side)

When to use a client-side API key

  • Your application will be making API requests to Crossmint directly from a browser
When you create client-side API keys you must add the authorized origins that can use the key. For example, in testing you’ll need to indicate http://localhost:3000 (or similar local dev URLs) as authorized origins, or the request will be denied.
Client Key Domain There is one additional step when using a client-side API key in your application with headless checkout. The first call will be to create the order. The response will include a clientSecret property that you must persist in state and then pass as an additional header in subsequent API requests to the update-order or get-order routes.

Client Side Example Code

The sample code below shows direct client-side API calls to Crossmint using a client-side API key. The component.tsx file is simplified to only show the relevant logic for making requests directly from the browser to Crossmint’s API.

Mobile Applications

When using client-side API keys in mobile applications, you must include an additional x-app-identifier header in your requests. This header should contain the bundle identifier (iOS) or package name (Android) that you whitelisted when creating your API key. Client Key Domain Mobile
The x-app-identifier must match one of the mobile app identifiers you whitelisted when creating your client-side API key. For more information on setting up mobile app identifiers, see the Client-side API Keys documentation.