Authentication

Every request you send to the Avalanche C-Chain through TheRPC must include an API key — it identifies your account, applies your plan's limits, and keeps your endpoint private. This guide walks you through generating a key in the dashboard, attaching it to requests with the Bearer scheme, securing it with environment variables and good rotation hygiene, and reading the error responses TheRPC returns when a key is missing or invalid.

Getting an API Key

• Sign up for a free account at TheRPC.io.
• Open the Dashboard once you are signed in.
• Go to the API Keys section.
• Generate a key and copy it — you will append it to the Avalanche C-Chain endpoint https://avalanche.therpc.io/YOUR_API_KEY and send it in the Authorization header.

Using Your API Key

Pass your key in the Authorization header using the Bearer scheme: Authorization: Bearer YOUR_API_KEY. Every single call to the Avalanche C-Chain must include this header — there is no session or cookie that carries it for you, so each JSON-RPC POST, whether reading a balance or broadcasting an AVAX transfer, sends the header again.

HTTP Headers

1Authorization: Bearer YOUR_API_KEY

Example Requests — curl

1curl --request POST 'https://avalanche.therpc.io/YOUR_API_KEY' \
2  --header 'Content-Type: application/json' \
3  --header 'Authorization: Bearer YOUR_API_KEY' \
4  --data '{
5    "jsonrpc": "2.0",
6    "method": "eth_blockNumber",
7    "params": [],
8    "id": 1
9  }'

Example Requests — JavaScript

1const response = await fetch('https://avalanche.therpc.io/YOUR_API_KEY', {
2  method: 'POST',
3  headers: {
4    'Content-Type': 'application/json',
5    Authorization: `Bearer ${API_KEY}`,
6  },
7  body: JSON.stringify({
8    jsonrpc: '2.0',
9    method: 'eth_blockNumber',
10    params: [],
11    id: 1,
12  }),
13});

Security Best Practices

• Never commit your Avalanche C-Chain API key to source control — keep it out of Git, and add .env files to .gitignore.
• Do not paste keys into public forums, Discord channels, issue trackers, or chat logs.
• Store keys in environment variables or a dedicated secret vault, never hardcoded in client-side code where users can read them.
• Rotate keys periodically, and revoke any compromised key immediately from the dashboard.
• Use separate keys per environment and per application — for example one for local development, one for staging, one for production — so you can revoke one without breaking the others.
• Monitor each key's usage and request volume in the TheRPC dashboard to spot leaks or unexpected spikes early.

Error Handling

When authentication fails, the Avalanche C-Chain API returns a JSON-RPC error object instead of a result, carrying a numeric code and a message such as Invalid authentication credentials. The usual causes are a missing Authorization header, a malformed key or wrong header format, a key that has been expired or revoked in the dashboard, or a request that exceeded your plan's rate limit. Check the message, confirm the header is present and correctly formed, and verify the key is still active.

Authentication Error Response

1{
2  "jsonrpc": "2.0",
3  "error": {
4    "code": -32001,
5    "message": "Invalid authentication credentials"
6  },
7  "id": 1
8}

Environment Setup

The safest way to use your Avalanche C-Chain key is to load it from an environment variable at runtime rather than hardcoding it into your source. Store the value in a .env file that stays out of version control, then read it through process.env in Node.js or os.getenv in Python. This keeps the secret out of your committed code and lets you swap keys per environment without touching the application.

Environment Variables — .env

1# .env file
2THERPC_API_KEY=your_api_key_here

Configuration Examples — Node.js

1require('dotenv').config();
2const API_KEY = process.env.THERPC_API_KEY;

Configuration Examples — Python

1import os
2from dotenv import load_dotenv
3 
4load_dotenv()
5API_KEY = os.getenv('THERPC_API_KEY')