Skip to main content
RebelFi uses API key authentication for all programmatic API access.

API Key Authentication

Generating API Keys

API keys are scoped to a Wallet Profile. You must create a Wallet Profile before generating an API key. Each key can only register wallets and execute operations within its linked profile.
  1. Navigate to Settings → Wallet Profiles and create a profile (or use an existing one)
  2. Navigate to Settings → API Keys
  3. Click Generate API Key
  4. Provide a descriptive name (e.g., “Production SDK”, “Dev Environment”)
  5. Select the Wallet Profile to associate with this key
  6. Copy and securely store the key (shown only once)

API Key Format

RebelFi API keys follow this format: 
rfk_{sandbox|prod}_{random_string}
Examples:
  • rfk_sandbox_xxxxxxxxxxx - Development key
  • rfk_prod_xxxxxxxxxxx - Production key

Using API Keys

Include the API key in the x-api-key header: 
curl -X GET "https://api.rebelfi.io/v1/venues" \
  -H "x-api-key: rfk_prod_xxxxxxxxxxx"

const response = await fetch('https://api.rebelfi.io/v1/venues', {
  headers: {
    'x-api-key': 'rfk_prod_xxxxxxxxxxx'
  }
});

SDK Authentication

When using the TypeScript SDK: 
import { RebelfiClient } from '@rebelfi/sdk';

const client = new RebelfiClient({
  apiKey: process.env.REBELFI_API_KEY
});
API keys are scoped to a Wallet Profile — they can only operate on wallets registered within that profile. Store them securely and rotate them regularly. Create separate keys for different environments (dev, staging, production).

Security Best Practices

API Key Management

DO:
  • Store in environment variables
  • Use secrets management (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault)
  • Encrypt at rest
DON’T:
  • Commit to version control
  • Store in code or configuration files
  • Share via email or chat
  • Log in plain text
Rotate API keys regularly:
  1. Generate new API key
  2. Deploy new key to production (blue/green deployment)
  3. Verify new key works
  4. Revoke old key
  5. Update documentation
Recommended frequency: Every 90 days
Use different API keys for each environment:
  • Development: rfk_sandbox_xxx
  • Staging: rfk_prod_xxx (non-dev environments use production prefix)
  • Production: rfk_prod_xxx
This limits blast radius if a key is compromised.

Rate Limiting

RebelFi enforces rate limits per API key:
Endpoint TypeLimit
Read (GET)100 requests/minute
Write (POST)20 requests/minute

Handling Rate Limits

When rate limited, you’ll receive a 429 status with RATE_LIMIT_EXCEEDED error code. 
async function makeRequestWithRetry(url: string, options: RequestInit, maxRetries = 3) {
  for (let i = 0; i < maxRetries; i++) {
    const response = await fetch(url, options);

    if (response.status === 429) {
      const retryAfter = response.headers.get('Retry-After') || '60';
      console.log(`Rate limited. Retrying after ${retryAfter}s`);
      await new Promise(resolve => setTimeout(resolve, parseInt(retryAfter) * 1000));
      continue;
    }

    return response;
  }

  throw new Error('Max retries exceeded');
}

Troubleshooting

Cause: Invalid or missing API keySolution:
  • Verify API key is correct
  • Ensure proper header format (x-api-key: ...)
  • Check key hasn’t been revoked
  • Try generating a new API key
Cause: Valid credentials but access deniedSolution:
  • Verify the Wallet Profile linked to this API key is enabled (not disabled or deleted)
  • Verify the wallet you are accessing belongs to the key’s Wallet Profile
  • Check that the blockchain you are targeting is enabled in the Wallet Profile’s enabledChains configuration
Cause: Too many requests in time windowSolution:
  • Implement exponential backoff
  • Reduce request frequency
  • Contact support for higher limits if needed

Next Steps

Wallet Profiles

Set up wallet profiles and link your API key

API Reference

Explore authenticated API endpoints