Skip to main content

Overview

RebelFi APIs use API key authentication for programmatic access. API keys provide full access to your organization’s resources.
The RebelFi dashboard uses internal JWT authentication for user sessions. This page covers only API key management for API integration.

API Key Endpoints

Generate and manage API keys for agent and programmatic access.

POST /api/core/apikeys/generate

Generate a new API key via the dashboard or API. Headers: 
Authorization: Bearer YOUR_ACCESS_TOKEN
Request Body: 
{
  "name": "Production Agent"
}
Response: 
{
  "success": true,
  "data": {
    "id": 789,
    "apiKey": "rfk_live_xxxxxxxxxxxxx",
    "name": "Production Agent",
    "createdAt": "2025-10-23T14:00:00Z"
  }
}
The API key is only shown once. Store it securely.

GET /api/core/apikeys

List all API keys for your organization. Headers: 
Authorization: Bearer YOUR_ACCESS_TOKEN
Response: 
{
  "success": true,
  "data": [
    {
      "id": 789,
      "name": "Production Agent",
      "createdAt": "2025-10-23T14:00:00Z",
      "lastUsedAt": "2025-10-23T15:30:00Z"
    }
  ]
}
The actual API key value is not returned for security. Only metadata is shown.

DELETE /api/core/apikeys/:id

Revoke an API key. Headers: 
Authorization: Bearer YOUR_ACCESS_TOKEN
Response: 
{
  "success": true,
  "data": {
    "deleted": true
  }
}

POST /api/core/apikeys/validate

Validate an API key (uses API key authentication). Headers: 
X-API-Key: rfk_live_xxxxxxxxxxxxx
Response: 
{
  "success": true,
  "data": {
    "valid": true,
    "message": "API key is valid"
  }
}

Usage Example

  // Using API key for authenticated requests
  const response = await fetch('https://api.rebelfi.io/api/core/wallets/monitored', {
  headers: {
  'X-API-Key': 'rfk_live_xxxxxxxxxxxxx'
}
});

  const {data} = await response.json();
  console.log('Monitored wallets:', data);

Security Best Practices

DO:
  • Store API keys in environment variables
  • Use secrets management systems (AWS Secrets Manager, HashiCorp Vault, etc.)
  • Encrypt API keys at rest
DON’T:
  • Commit API keys to version control
  • Include API keys in client-side code
  • Share API keys via email or chat
  • Log API keys in plain text
Rotate API keys regularly (recommended: every 90 days):
  1. Generate a new API key
  2. Deploy the new key to your systems
  3. Verify the new key works correctly
  4. Revoke the old API key
  5. Update documentation
  • Create separate API keys for different environments (dev, staging, production)
  • Use descriptive names to track key usage
  • Revoke API keys immediately if compromised
  • Regularly audit API key usage via dashboard