API Keys
Table of contents
- What Are API Keys?
- Viewing Your Keys
- Creating a New Key
- Using Your Key
- Managing Keys
- Native App OAuth Flow
- Security Best Practices
- Troubleshooting
What Are API Keys?
API keys let you access Fx.Land programmatically:
- Use with scripts and applications
- Integrate with IPFS CLI
- Build automated workflows
Each key is a JWT (JSON Web Token) that identifies your account.
Viewing Your Keys
- Go to API Keys in the sidebar
- See all your active keys
- Keys are partially hidden for security (click to reveal)
Creating a New Key
- Click Generate New Key
- Optionally give it a name/description
- Copy the key immediately
Copy your key now! The full key is only shown once. If you lose it, you’ll need to generate a new one.
Key Format
API keys look like:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ5b3VAZXhhbXBsZS5jb20iLC...
This is a standard JWT containing:
- Your email (sub claim)
- Permissions (scope claim)
- Unique identifier (jti claim)
Using Your Key
With curl
curl "https://api.cloud.fx.land/pins" \
-H "Authorization: Bearer YOUR_API_KEY"
With IPFS CLI
# Add the remote pinning service
ipfs pin remote service add fxland https://api.cloud.fx.land YOUR_API_KEY
# Pin content
ipfs pin remote add --service=fxland QmYourCID
# List remote pins
ipfs pin remote ls --service=fxland
In JavaScript
const response = await fetch('https://api.cloud.fx.land/pins', {
method: 'POST',
headers: {
'Authorization': `Bearer ${API_KEY}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
cid: 'QmYourCID',
name: 'my-file'
})
});
In Python
import requests
response = requests.post(
'https://api.cloud.fx.land/pins',
headers={
'Authorization': f'Bearer {API_KEY}',
'Content-Type': 'application/json'
},
json={
'cid': 'QmYourCID',
'name': 'my-file'
}
)
Managing Keys
Multiple Keys
Create separate keys for:
- Different applications
- Development vs. production
- Different team members
This way you can revoke one without affecting others.
Renaming Keys
- Find the key in your list
- Click the edit icon
- Enter a new name
- Save
Revoking Keys
- Find the key to revoke
- Click Revoke or the trash icon
- Confirm revocation
Revoked keys are immediately invalid. Any application using that key will get “Unauthorized” errors.
Native App OAuth Flow
For desktop or mobile apps that need to obtain a key for the user:
Flow
- Open browser to OAuth URL
- User signs in with Google
- User is redirected back with the key
Implementation
GET https://cloud.fx.land/get-key?redirect=myapp://callback
After authentication:
myapp://callback?key=JWT_TOKEN_HERE
Example (Electron App)
const { shell } = require('electron');
// Open browser for auth
shell.openExternal(
'https://cloud.fx.land/get-key?redirect=myapp://oauth-callback'
);
// Handle callback (register protocol handler)
app.setAsDefaultProtocolClient('myapp');
app.on('open-url', (event, url) => {
const params = new URL(url).searchParams;
const apiKey = params.get('key');
// Store and use the key
});
Security Best Practices
Do
- Store keys in environment variables
- Use separate keys for each application
- Revoke keys you no longer use
- Rotate keys periodically
Don’t
- Commit keys to Git repositories
- Share keys in chat or email
- Expose keys in client-side JavaScript
- Use the same key everywhere
If a Key is Compromised
- Revoke the key immediately
- Generate a new key
- Update your applications
- Check for unauthorized activity
Troubleshooting
“Unauthorized” Error
- Check the key is correct (no extra spaces)
- Verify the key hasn’t been revoked
- Ensure header format is
Authorization: Bearer <key>
Key Not Working
- Keys must include
Bearerprefix in the header - Make sure you copied the full key
- Try generating a new key
Can’t Find My Key
- Keys can only be viewed once when created
- Generate a new key if you lost the old one
- Revoke the lost key to prevent misuse