Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.rebelfi.io/docs/llms.txt

Use this file to discover all available pages before exploring further.

RebelFi uses API key authentication for all programmatic API access.

API Key Authentication

Generating API Keys

There are two types of API keys:
TypeScopingPermissionsUse Case
Profile-scopedTied to one Wallet ProfileRead + Write (register wallets, plan operations, submit transactions)Per-partner SDK integration
AdminOrganization-wideRead-only (list wallets, view allocations, aggregate overview)Internal dashboards, cross-profile reporting

Profile-Scoped Keys

Profile-scoped keys can only register wallets and execute operations within their linked Wallet Profile. You must create a Wallet Profile before generating a profile-scoped key.
  1. Navigate to Settings → Wallet Profiles and create a profile (or use an existing one)
  2. Navigate to Settings → API Keys
  3. Click Generate API Key
  4. Provide a descriptive name (e.g., “Production SDK”, “Dev Environment”)
  5. Select the Wallet Profile to associate with this key
  6. Copy and securely store the key (shown only once)

Admin Keys

Admin keys provide read-only access across all Wallet Profiles in your organization. They cannot register wallets, plan operations, or submit transactions. Use admin keys for internal tools that need aggregate metrics across all partners.
  1. Navigate to Settings → API Keys
  2. Click Generate API Key
  3. Provide a descriptive name (e.g., “Internal Dashboard”)
  4. Select Admin (read-only, all profiles)
  5. Copy and securely store the key (shown only once)
Admin keys and walletProfileId are mutually exclusive — you cannot create an admin key scoped to a specific profile.

API Key Format

RebelFi API keys follow this format: 
rfk_{sandbox|prod}_{random_string}
Examples:
  • rfk_sandbox_xxxxxxxxxxx - Development key
  • rfk_prod_xxxxxxxxxxx - Production key

Using API Keys

Include the API key in the x-api-key header: 
curl -X GET "https://api.rebelfi.io/v1/venues" \
  -H "x-api-key: rfk_prod_xxxxxxxxxxx"

const response = await fetch('https://api.rebelfi.io/v1/venues', {
  headers: {
    'x-api-key': 'rfk_prod_xxxxxxxxxxx'
  }
});

SDK Authentication

When using the TypeScript SDK: 
import { RebelfiClient } from '@rebelfi/sdk';

const client = new RebelfiClient({
  apiKey: process.env.REBELFI_API_KEY
});
Profile-scoped API keys can only operate on wallets registered within that profile. Admin keys are read-only across all profiles. Store all keys securely and rotate them regularly. Create separate keys for different environments (dev, staging, production).

Security Best Practices

API Key Management

DO:
  • Store in environment variables
  • Use secrets management (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault)
  • Encrypt at rest
DON’T:
  • Commit to version control
  • Store in code or configuration files
  • Share via email or chat
  • Log in plain text
Rotate API keys regularly:
  1. Generate new API key
  2. Deploy new key to production (blue/green deployment)
  3. Verify new key works
  4. Revoke old key
  5. Update documentation
Recommended frequency: Every 90 days
Use different API keys for each environment:
  • Development: rfk_sandbox_xxx
  • Staging: rfk_prod_xxx (non-dev environments use production prefix)
  • Production: rfk_prod_xxx
This limits blast radius if a key is compromised.

Rate Limiting

RebelFi enforces rate limits per API key:
Endpoint TypeLimit
Read (GET)100 requests/minute
Write (POST)20 requests/minute

Handling Rate Limits

When rate limited, you’ll receive a 429 status with RATE_LIMIT_EXCEEDED error code. 
async function makeRequestWithRetry(url: string, options: RequestInit, maxRetries = 3) {
  for (let i = 0; i < maxRetries; i++) {
    const response = await fetch(url, options);

    if (response.status === 429) {
      const retryAfter = response.headers.get('Retry-After') || '60';
      console.log(`Rate limited. Retrying after ${retryAfter}s`);
      await new Promise(resolve => setTimeout(resolve, parseInt(retryAfter) * 1000));
      continue;
    }

    return response;
  }

  throw new Error('Max retries exceeded');
}

Troubleshooting

Cause: Invalid or missing API keySolution:
  • Verify API key is correct
  • Ensure proper header format (x-api-key: ...)
  • Check key hasn’t been revoked
  • Try generating a new API key
Cause: Valid credentials but access deniedSolution:
  • Verify the Wallet Profile linked to this API key is enabled (not disabled or deleted)
  • Verify the wallet you are accessing belongs to the key’s Wallet Profile
  • Check that the blockchain you are targeting is enabled in the Wallet Profile’s enabledChains configuration
Cause: Too many requests in time windowSolution:
  • Implement exponential backoff
  • Reduce request frequency
  • Contact support for higher limits if needed

Next Steps

Wallet Profiles

Set up wallet profiles and link your API key

API Reference

Explore authenticated API endpoints