Use this page to understand auth surface area by API family. For canonical literals (headers, token sources, environment-specific behavior), use the authentication matrix.
Scope
- This page summarizes auth methods by API surface.
- It does not define a single universal flow for all IXO APIs.
- Protocol docs and service docs can require different credentials.
Common request patterns
Common header formats used across IXO docs are centralized in /reference/authentication-matrix.
Do not assume any one header or token type applies to every endpoint. Confirm each interface against /reference/authentication-matrix.
API families and auth responsibility
| API family | Surface | Auth notes |
|---|
| Protocol gateways | /api-reference/rpc-api, /api-reference/grpc-gateway-api | Chain and node access patterns vary by network and deployment. |
| Service APIs | /api-reference/blocksync-graphql-api, /api-reference/matrix-state-bot-api, /api-reference/registry-api | Service operators can enforce different credentials and scopes. |
Security baseline
- Use HTTPS for all authenticated requests.
- Keep credentials in secure runtime storage, not source files.
- Rotate tokens and keys according to your operator policy.
- Log request identifiers and auth failures for incident triage.
Source-of-truth references
- Authentication matrix:
/reference/authentication-matrix
- Networks and endpoints:
/reference/networks-and-endpoints
- Product and SDK map:
/reference/product-and-sdk-map
