Authentication

Every request to OP Mainnet through TheRPC requires an API key — it authenticates the call against https://optimism.therpc.io/YOUR_API_KEY and links usage to your plan. This guide walks through generating a key from the dashboard, passing it on each request via the Bearer Authorization header, securing it with best practices, loading it from environment variables, and reading the error responses you'll see when authentication fails.

Getting an API Key

• Sign up for a free account at TheRPC.io.
• Open the Dashboard once you're logged in.
• Go to the API Keys section.
• Generate a new key and copy it — you'll drop it into the OP Mainnet endpoint URL and the Authorization header.

Using Your API Key

Pass your key in the Authorization header using the Bearer scheme on every OP Mainnet request. There is no session or login step — each JSON-RPC call to https://optimism.therpc.io/YOUR_API_KEY is authenticated on its own, so the header must be present every time, whether you're reading a block or broadcasting a transaction.

HTTP Headers

1Authorization: Bearer YOUR_API_KEY

Example Requests — curl

1curl --request POST 'https://optimism.therpc.io/YOUR_API_KEY' \
2  --header 'Content-Type: application/json' \
3  --header 'Authorization: Bearer YOUR_API_KEY' \
4  --data '{
5    "jsonrpc": "2.0",
6    "method": "eth_blockNumber",
7    "params": [],
8    "id": 1
9  }'

Example Requests — JavaScript

1const response = await fetch('https://optimism.therpc.io/YOUR_API_KEY', {
2  method: 'POST',
3  headers: {
4    'Content-Type': 'application/json',
5    Authorization: `Bearer ${API_KEY}`,
6  },
7  body: JSON.stringify({
8    jsonrpc: '2.0',
9    method: 'eth_blockNumber',
10    params: [],
11    id: 1,
12  }),
13});

Security Best Practices

• Never commit your OP Mainnet API key to source control — keep it out of Git history, including config files and notebooks.
• Don't paste keys into public forums, issue trackers, Discord, or chat logs where they can be scraped.
• Store keys in environment variables or a secret vault rather than hardcoding them in application code.
• Rotate keys periodically, and revoke any compromised key immediately from the dashboard before generating a replacement.
• Use separate keys per environment and per application so you can revoke one without breaking the others.
• Monitor each key's usage in the TheRPC dashboard to catch unexpected traffic early.

Error Handling

When authentication fails on OP Mainnet, TheRPC returns a JSON-RPC error object with a code and a human-readable message instead of a result — for example, code -32001 with "Invalid authentication credentials". The usual causes are a missing Authorization header, a malformed key or wrong header format, an expired or revoked key, or hitting your plan's rate limit. Check the message first, then confirm the key is present, correctly formatted, and still active in the dashboard.

Authentication Error Response

1{
2  "jsonrpc": "2.0",
3  "error": {
4    "code": -32001,
5    "message": "Invalid authentication credentials"
6  },
7  "id": 1
8}

Environment Setup

The safest way to use your OP Mainnet key is to load it from an environment variable at runtime rather than writing it directly into your code. Keep it in a .env file that's git-ignored (or in your platform's secret store) and read it through process.env in Node.js or os.getenv in Python, so the key never ends up in your repository or shipped bundles.

Environment Variables — .env

1# .env file
2THERPC_API_KEY=your_api_key_here

Configuration Examples — Node.js

1require('dotenv').config();
2const API_KEY = process.env.THERPC_API_KEY;

Configuration Examples — Python

1import os
2from dotenv import load_dotenv
3 
4load_dotenv()
5API_KEY = os.getenv('THERPC_API_KEY')