Authentication

The M0 Protocol API requires authentication via API keys to access its endpoint. This ensures that only authorized users can interact with the API and access its data.

Using API Keys

To authenticate your requests, include the API key in the Authentication header of your HTTP requests. For example post with curl:

curl -i \
  --request POST \
  --header "Content-Type: application/json" \
  --header "Authorization: ApiKey <YOUR_API_KEY>" \
  --data '{"query":"{ __typename }"}' \
  https://protocol-api.m0.org/graphql

API keys should be kept secret and not exposed in public repositories or client-side code. If you believe your API key has been compromised, please contact us immediately to revoke the key and issue a new one.

Storing API Keys Securely

To protect your API key and prevent unauthorized access, follow these best practices:

Restrict Access by Origin and IP

Configure your API key to limit where it can be used from:

IP Allowlisting: Restrict the API key to specific IP addresses or CIDR ranges that correspond to your backend servers
Origin Restrictions: If applicable, limit the domains or origins that can make requests using your API key

Contact us to configure these restrictions for your API key. This adds an additional layer of security, ensuring that even if your key is compromised, it cannot be used from unauthorized locations.

Use a Backend Service

Consider implementing a backend service that:

Stores the API key securely in environment variables or a secrets manager
Acts as a proxy between your frontend and the M0 Protocol API
Handles authentication on behalf of your users

This approach ensures that your API key is never transmitted to or accessible from the client.

Using API Keys​

Storing API Keys Securely​

Restrict Access by Origin and IP​

Use a Backend Service​

Using API Keys

Storing API Keys Securely

Restrict Access by Origin and IP

Use a Backend Service