Skip to main content
RebelFi uses API key authentication for all programmatic API access and agent integration.

API Key Authentication

Generating API Keys

  1. Navigate to Settings → API Keys
  2. Click Generate API Key
  3. Provide a descriptive name (e.g., “Production Agent”, “Dev Environment”)
  4. Copy and securely store the key (shown only once)

API Key Format

RebelFi API keys follow this format: 
rfk_{environment}_{random_string}
Examples:
  • rfk_test_xxxxxxxxxxx - Test/development key
  • rfk_live_xxxxxxxxxxx - Production key

Using API Keys

Include the API key in the x-api-key header: 
curl -X GET "https://midas.rebelfi.io/v1/venues" \
  -H "x-api-key: rfk_live_xxxxxxxxxxx"

const response = await fetch('https://midas.rebelfi.io/v1/venues', {
  headers: {
    'x-api-key': 'rfk_live_xxxxxxxxxxx'
  }
});

SDK Authentication

When using the TypeScript SDK: 
import { RebelfiClient } from '@rebelfi/sdk';

const client = new RebelfiClient({
  apiKey: process.env.REBELFI_API_KEY
});
API keys have full organization-level access. Store them securely and rotate them regularly. Create separate keys for different environments (dev, staging, production).

Security Best Practices

API Key Management

DO:
  • Store in environment variables
  • Use secrets management (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault)
  • Encrypt at rest
DON’T:
  • Commit to version control
  • Store in code or configuration files
  • Share via email or chat
  • Log in plain text
Rotate API keys regularly:
  1. Generate new API key
  2. Deploy new key to production (blue/green deployment)
  3. Verify new key works
  4. Revoke old key
  5. Update documentation
Recommended frequency: Every 90 days
Use different API keys for each environment:
  • Development: rfk_test_dev_xxx
  • Staging: rfk_test_staging_xxx
  • Production: rfk_live_prod_xxx
This limits blast radius if a key is compromised.

Rate Limiting

RebelFi enforces rate limits per API key:
Endpoint TypeLimit
Read (GET)100 requests/minute
Write (POST)20 requests/minute

Handling Rate Limits

When rate limited, you’ll receive a 429 status with RATE_LIMIT_EXCEEDED error code. 
async function makeRequestWithRetry(url: string, options: RequestInit, maxRetries = 3) {
  for (let i = 0; i < maxRetries; i++) {
    const response = await fetch(url, options);

    if (response.status === 429) {
      const retryAfter = response.headers.get('Retry-After') || '60';
      console.log(`Rate limited. Retrying after ${retryAfter}s`);
      await new Promise(resolve => setTimeout(resolve, parseInt(retryAfter) * 1000));
      continue;
    }

    return response;
  }

  throw new Error('Max retries exceeded');
}

Troubleshooting

Cause: Invalid or missing API keySolution:
  • Verify API key is correct
  • Ensure proper header format (x-api-key: ...)
  • Check key hasn’t been revoked
  • Try generating a new API key
Cause: Valid credentials but insufficient permissionsSolution:
  • Check API key has required permissions
  • Verify resource belongs to your organization
Cause: Too many requests in time windowSolution:
  • Implement exponential backoff
  • Reduce request frequency
  • Contact support for higher limits if needed

Next Steps

Custody Integration

Set up your custody agent with authentication

API Reference

Explore authenticated API endpoints