Authentication

Every call to the Ethereum endpoint at https://ethereum.therpc.io/YOUR_API_KEY is authenticated by your API key — a request without a valid key never reaches a chain 1 node. This guide shows where to generate a key, how to attach it as a Bearer token on each request, how to keep it out of your source tree, and how to read the error you get back when authentication fails.

Getting an API Key

Sign up at TheRPC.io and confirm your account.
Open the Dashboard once you are signed in.
Go to the API Keys section.
Generate a key — it works immediately for Ethereum mainnet and for every other chain TheRPC serves, since the key is tied to your account rather than to a single network.

Using Your API Key

Attach the key as a Bearer token in the Authorization header. Whether you are reading a balance with eth_getBalance or broadcasting a signed transaction with eth_sendRawTransaction, the header goes on every single request — there is no session or login step that lets you skip it on later calls. Send it alongside the standard Content-Type: application/json on each POST to the Ethereum endpoint.

HTTP Headers

1Authorization: Bearer YOUR_API_KEY

Example Requests — curl

1curl --request POST 'https://ethereum.therpc.io/YOUR_API_KEY' \
2  --header 'Content-Type: application/json' \
3  --header 'Authorization: Bearer YOUR_API_KEY' \
4  --data '{
5    "jsonrpc": "2.0",
6    "method": "eth_blockNumber",
7    "params": [],
8    "id": 1
9  }'

Example Requests — JavaScript

1const response = await fetch('https://ethereum.therpc.io/YOUR_API_KEY', {
2  method: 'POST',
3  headers: {
4    'Content-Type': 'application/json',
5    Authorization: `Bearer ${API_KEY}`,
6  },
7  body: JSON.stringify({
8    jsonrpc: '2.0',
9    method: 'eth_blockNumber',
10    params: [],
11    id: 1,
12  }),
13});

Security Best Practices

Keep keys out of version control. A key committed to a public repo can be scraped within minutes and used to burn your CU quota on chain 1.
Do not paste keys into Discord, forum posts, GitHub issues, or screenshots when asking for help — redact them to YOUR_API_KEY first.
Store keys in environment variables or a secret manager (Vault, AWS Secrets Manager, your platform's encrypted env), never as string literals in code.
Rotate keys on a schedule, and if a key leaks, revoke it from the Dashboard right away and generate a replacement — a revoked key stops authenticating immediately.
Use a separate key per environment and per app, so revoking your staging key never takes down production Ethereum traffic.
Watch each key's usage in the Dashboard; a sudden spike in CU consumption is usually the first sign a key has leaked.

Error Handling

When authentication fails, you get a JSON-RPC error object — the same envelope as any other failure, with a numeric code and a message — rather than an Ethereum result. The usual causes are a missing Authorization header, a malformed Bearer value, or a key that has been revoked or rotated out. A separate failure mode is exceeding your plan's rate limit, which comes back with its own code rather than an auth error, so branch on the code to tell the two apart before retrying.

Authentication Error Response

1{
2  "jsonrpc": "2.0",
3  "error": {
4    "code": -32001,
5    "message": "Invalid authentication credentials"
6  },
7  "id": 1
8}

Environment Setup

Load the key from an environment variable at runtime instead of hardcoding it into your Ethereum client. The pattern below reads THERPC_API_KEY from a .env file that stays out of git, so the same code runs in development against a test key and in production against your live chain 1 key with nothing to change but the environment.

Environment Variables — .env

1# .env file
2THERPC_API_KEY=your_api_key_here

Configuration Examples — Node.js

1require('dotenv').config();
2const API_KEY = process.env.THERPC_API_KEY;

Configuration Examples — Python

1import os
2from dotenv import load_dotenv
3 
4load_dotenv()
5API_KEY = os.getenv('THERPC_API_KEY')