Authentication

Every request to the Base API on TheRPC requires an API key — it authenticates you and links each call to your plan and quota. This guide walks through getting a key from the dashboard, passing it correctly in the Authorization header on your Base requests, securing it with sensible practices, loading it from environment variables, and reading the error responses you get when a key is missing, malformed, or revoked.

Getting an API Key

• Sign up for a free account at TheRPC.io.
• Open the Dashboard after signing in.
• Go to the API Keys section.
• Generate a new key — it works immediately for Base (chain ID 8453) and every other supported network.

Using Your API Key

Pass your key to Base in the Authorization header using the Bearer scheme: Authorization: Bearer YOUR_API_KEY. Every request to https://base.therpc.io/YOUR_API_KEY must include this header — there is no session or cookie, so a request without a valid Bearer key is rejected before it reaches the node.

HTTP Headers

1Authorization: Bearer YOUR_API_KEY

Example Requests — curl

1curl --request POST 'https://base.therpc.io/YOUR_API_KEY' \
2  --header 'Content-Type: application/json' \
3  --header 'Authorization: Bearer YOUR_API_KEY' \
4  --data '{
5    "jsonrpc": "2.0",
6    "method": "eth_blockNumber",
7    "params": [],
8    "id": 1
9  }'

Example Requests — JavaScript

1const response = await fetch('https://base.therpc.io/YOUR_API_KEY', {
2  method: 'POST',
3  headers: {
4    'Content-Type': 'application/json',
5    Authorization: `Bearer ${API_KEY}`,
6  },
7  body: JSON.stringify({
8    jsonrpc: '2.0',
9    method: 'eth_blockNumber',
10    params: [],
11    id: 1,
12  }),
13});

Security Best Practices

• Never commit keys to source control — keep them out of Git, including .env files; add .env to .gitignore.
• Never share keys in public — avoid pasting them into forums, issues, Discord, or chat logs.
• Store keys in environment variables or a secret vault — never hardcode them in client-side or committed code.
• Rotate keys periodically and revoke any compromised key immediately from the dashboard.
• Use separate keys per environment or application — distinct keys for dev, staging, and production make abuse easy to isolate.
• Monitor key usage in the TheRPC dashboard to spot unexpected Base traffic early.

Error Handling

When authentication fails, the Base API returns a JSON-RPC error object with a numeric code and a message such as "Invalid authentication credentials" (see the example below). The common causes are a missing Authorization header, a malformed or misspelled key, an expired or revoked key, or exceeding your plan's rate limit. Check the header is present and correctly formatted first, then confirm the key is still active in the dashboard.

Authentication Error Response

1{
2  "jsonrpc": "2.0",
3  "error": {
4    "code": -32001,
5    "message": "Invalid authentication credentials"
6  },
7  "id": 1
8}

Environment Setup

As a baseline practice, load your Base API key from an environment variable rather than hardcoding it in source. Keep the value in a .env file (excluded from version control) or in your platform's secret manager, and read it at runtime — the examples below show this for Node.js and Python.

Environment Variables — .env

1# .env file
2THERPC_API_KEY=your_api_key_here

Configuration Examples — Node.js

1require('dotenv').config();
2const API_KEY = process.env.THERPC_API_KEY;

Configuration Examples — Python

1import os
2from dotenv import load_dotenv
3 
4load_dotenv()
5API_KEY = os.getenv('THERPC_API_KEY')