Authentication
Your endpoint is firewall-isolated by default. For external access, authenticate with an API key.
API keys
Generate an API key from your dashboard and pass it in the Authorization header as a bearer token:
curl https://rpc.openinfra.sh \ -H "authorization: Bearer oi_live_xxxxxxxxxxxx" \ -X POST \ -H "content-type: application/json" \ -d '{"jsonrpc":"2.0","id":1,"method":"getHealth"}'Alternatively, pass the key as a query parameter when you can't set headers (e.g. WebSocket upgrades):
https://rpc.openinfra.sh?api-key=oi_live_xxxxxxxxxxxxKey prefixes
| Prefix | Scope | Notes |
|---|---|---|
oi_live_ | Production | Full access to all services |
oi_test_ | Testnet | Devnet and testnet endpoints only |
oi_ro_ | Read-only | Excludes sendTransaction and simulate |
Network isolation
Private fabric (no key needed)
Traffic from your own OpenInfra server travels over the private network fabric and does not require a key. This is the lowest-latency path.
External access
- External requests must present a valid API key.
- Requests without a key or with an invalid key return HTTP 403.
- TLS is enforced on all external connections.
IP allowlist
You can restrict your endpoint to a fixed list of source IPs from the dashboard. Requests from unlisted IPs are dropped at the firewall before reaching the node.
Rotating keys
Create a new key, update your deployment, then revoke the old key. Revocation propagates across all regions within seconds. Zero downtime rotation is safe.