| description |
|---|
Authenticate all requests to Infura with an API key secret. |
import Tabs from "@theme/Tabs"; import TabItem from "@theme/TabItem";
For enhanced security, you can require an API key secret for all requests to Infura. The API key secret serves as a password accompanying the API key (which serves as a username). This two-factor approach strengthens the authentication process, ensuring that only requests from authorized sources are accepted.
Use an API key secret if your dapp includes server-side components. Storing and using the API key secret only on the server side prevents exposure to client-side risks, such as malicious actors gaining access through browser inspection tools or network monitoring.
If your dapp operates solely on the client side without a server, use only the API key. The API key is exposed in client-side code, so you should secure it using allowlists.
:::tip For customers on the Developer tier or higher, Infura supports overriding your allowlist when you specify an API key secret. This allows you to apply the principle of least privilege on the client side while allowing unrestricted access on the server side. :::
In the API key's Settings tab, select Require API Key secret for all requests.
![](/MetaMask/metamask-docs/blob/main/developer-tools/dashboard/how-to/images/settings-tab.png").default})
curl --user :<YOUR-API-KEY-SECRET> \
https://mainnet.infura.io/v3/<YOUR-API-KEY> \
-d '{"jsonrpc": "2.0", "method": "eth_blockNumber", "params": [], "id": 1}'wscat -c wss://mainnet.infura.io/ws/v3/<YOUR-API-KEY> --auth ":<YOUR-API-KEY-SECRET>"
> {"jsonrpc": "2.0", "method": "eth_blockNumber", "params": [], "id": 1}