API Keys
API keys are bearer tokens used to authenticate server-side requests to the amser Indexer API and webhook configuration endpoints. They are distinct from SIWE (Sign-In with Ethereum) wallet authentication, which is used for the dashboard UI. API keys are for your backend services — SIWE is for browser-based wallet interactions.
Key Format
amser API keys use a prefixed format that determines which environment requests are routed to:
| Prefix | Environment | Example |
|---|---|---|
amsr_live_ | Production (mainnet) | amsr_live_k3m7x9p2q4r8s1t5v0w6y |
amsr_test_ | Testnet | amsr_test_a1b2c3d4e5f6g7h8i9j0k |
The prefix is part of the key and is required. Requests made with a amsr_test_ key will only access testnet data, and vice versa.
Security Model
API keys are SHA-256 hashed before storage. amser stores only the hash — if you lose a key, it cannot be recovered and must be rotated.
Keys are displayed in full exactly once, at the moment of creation. After you dismiss the creation dialog, the full key is no longer retrievable from amser.
Generating a Key
- Navigate to Settings → API Keys in the amser dashboard
- Click Create Key
- Name your key descriptively (e.g.
production-server,webhook-consumer,staging-backend) - Copy the full key immediately and store it in a secure location
The key is shown only once. If you close the dialog without copying the key, you must create a new one.
Limits
Each merchant can have a maximum of 5 active API keys at a time. If you need a new key and have reached the limit, revoke an unused key first.
Using a Key
Include your API key in the Authorization header of every request:
Authorization: Bearer amsr_live_xxxxxxxxxxxxx
Example request:
const response = await fetch('https://api.amser.io/v0/subscriptions', {
headers: {
'Authorization': `Bearer ${process.env.AMSER_API_KEY}`,
'Content-Type': 'application/json',
},
});
Scopes
All API keys currently have full access to the Indexer API and webhook configuration endpoints. Scoped keys with granular permissions are on the roadmap.
Rotation
To rotate a key without downtime:
- Create a new key in the dashboard
- Update your server configuration to use the new key
- Verify that requests succeed with the new key
- Delete the old key in the dashboard
If both keys are valid simultaneously during the transition, there is no interruption to your service.
Revoking a Key
Deleting a key in the dashboard immediately invalidates all requests using that key. Any in-flight request authenticated with the revoked key will fail. This action cannot be undone — if you revoke a key by mistake, you must create a new one.
Security Guidelines
Never commit API keys to version control. Use environment variables or a secrets manager. If a key is accidentally committed, rotate it immediately.
- Do not expose live keys in client-side code. API keys are for server-to-server communication. Browser JavaScript, mobile apps, and any client-accessible code must not contain API keys.
- Do not use live keys for testing. Use
amsr_test_keys for development and staging environments. - Store keys in environment variables. Reference them via
process.env.AMSER_API_KEYor your platform's equivalent secrets mechanism. - Audit key usage. Periodically review which keys exist and delete any that are no longer in use.
Next Steps
- Configure a Webhook endpoint to receive event notifications
- Review the Events Reference to understand what data your server will process
- Check Smart Contracts for the networks amser is deployed on