Authentication
Two credentials — session tokens for the control-plane API, and API keys for submitting transactions.
Beta — rolling out now. The dashboard and its control-plane API are in active rollout. The contract documented here is stable, but availability may vary by deployment.
0block uses two distinct credentials. They are not interchangeable.
| Credential | Header | Used for |
|---|---|---|
| Session token | Authorization: Bearer <token> | The control-plane API (/api/v1): your account, API keys, transaction history, and stats. |
| API key | X-API-Key: <key> (or ?api-key=<key>) | Submitting transactions (sendTransaction) on the root path. |
Session tokens
A session token identifies you (the account owner). You obtain one by signing in to the dashboard; the dashboard issues and manages it for you — there is no public signup or login API to call. Send it as a bearer token on every control-plane request:
curl -s 'https://nyc.0block.io/api/v1/me' -H "Authorization: Bearer $TOKEN"- A missing, invalid, or expired token returns
401 unauthorized. POST /auth/logoutrevokes the current session.
API keys
An API key authenticates transaction submissions, and is what ties a submission to your account's telemetry. Create and revoke keys from the dashboard or the Keys API.
Format
0b_<43 url-safe base64 characters>- 46 characters total — the
0b_prefix plus 43 base64url characters. - The full key is shown once, at creation. Only its prefix (
0b_+ the first 8 characters, 11 characters total) is stored for display and shown thereafter. - Only a hash of the key is stored server-side; 0block cannot recover a lost key — create a new one and revoke the old.
- Up to 10 active keys per account.
Using a key
Pass it on the submission request as a header (preferred) or query parameter:
# Header
curl -s -X POST 'https://nyc.0block.io/' \
-H 'Content-Type: application/json' \
-H "X-API-Key: $KEY" \
-d '{"jsonrpc":"2.0","id":1,"method":"sendTransaction","params":["<base64-tx>",{"encoding":"base64"}]}'
# Query parameter
curl -s -X POST 'https://nyc.0block.io/?api-key=<YOUR_API_KEY>' \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"sendTransaction","params":["<base64-tx>",{"encoding":"base64"}]}'An invalid, revoked, or unknown API key is rejected fail-closed with HTTP 401 / JSON-RPC
-32004. Revoking a key takes effect immediately.
Submissions made with a valid key are recorded so you can follow them in Tracking your transactions.