Authentication

Every request to the Polygon endpoint at https://polygon.therpc.io/YOUR_API_KEY is authenticated with an API key — there is no anonymous access. This guide walks through obtaining a key from the TheRPC dashboard, passing it correctly on each Polygon call, keeping it secure, and recognizing the error responses you will see when authentication fails.

Getting an API Key

• Sign up for a free account at TheRPC.io.
• Open the Dashboard once you are signed in.
• Go to the API Keys section.
• Generate a new key and copy it — this single key works for Polygon (chain ID 137) and every other supported network.

Using Your API Key

Pass your key in the Authorization header using the Bearer scheme on every Polygon request. There is no session or cookie to manage — each JSON-RPC call to polygon.therpc.io must include the header, or it will be rejected. The examples below show the same eth_blockNumber call against Polygon with the header in place.

HTTP Headers

1Authorization: Bearer YOUR_API_KEY

Example Requests — curl

1curl --request POST 'https://polygon.therpc.io/YOUR_API_KEY' \
2  --header 'Content-Type: application/json' \
3  --header 'Authorization: Bearer YOUR_API_KEY' \
4  --data '{
5    "jsonrpc": "2.0",
6    "method": "eth_blockNumber",
7    "params": [],
8    "id": 1
9  }'

Example Requests — JavaScript

1const response = await fetch('https://polygon.therpc.io/YOUR_API_KEY', {
2  method: 'POST',
3  headers: {
4    'Content-Type': 'application/json',
5    Authorization: `Bearer ${API_KEY}`,
6  },
7  body: JSON.stringify({
8    jsonrpc: '2.0',
9    method: 'eth_blockNumber',
10    params: [],
11    id: 1,
12  }),
13});

Security Best Practices

• Never commit your Polygon API key to source control — keep it out of Git history, public repos, and front-end bundles.
• Do not paste keys into public forums, issue trackers, Discord, or chat channels.
• Store keys in environment variables or a secret manager (such as AWS Secrets Manager or HashiCorp Vault), never hardcoded in code.
• Rotate keys periodically, and revoke any compromised key immediately from the dashboard.
• Use separate keys per environment and per application so you can isolate and revoke without disrupting everything.
• Monitor each key's usage and Compute Unit consumption from the TheRPC dashboard to catch anomalies early.

Error Handling

When authentication fails on a Polygon request, TheRPC returns a JSON-RPC error object rather than the result you expected — the shape below carries a code and a human-readable message. The usual culprits are a missing Authorization header, a key in the wrong format, an expired or revoked key, or a key that has exceeded its rate limit. Check the header first, confirm the key is active in the dashboard, then look at your request volume.

Authentication Error Response

1{
2  "jsonrpc": "2.0",
3  "error": {
4    "code": -32001,
5    "message": "Invalid authentication credentials"
6  },
7  "id": 1
8}

Environment Setup

The recommended pattern is to load your Polygon API key from an environment variable at runtime rather than hardcoding it anywhere in your source. Keep the key in a .env file that is excluded from Git, and read it into your app — the snippets below show this for Node.js and Python pointing at the polygon.therpc.io endpoint.

Environment Variables — .env

1# .env file
2THERPC_API_KEY=your_api_key_here

Configuration Examples — Node.js

1require('dotenv').config();
2const API_KEY = process.env.THERPC_API_KEY;

Configuration Examples — Python

1import os
2from dotenv import load_dotenv
3 
4load_dotenv()
5API_KEY = os.getenv('THERPC_API_KEY')