Skip to main content

Authentication

Most endpoints are public. The only authenticated one is GET /v1/me, which identifies the user behind a Rift Finance access token.

Public endpoints

Every read (events, positions, oracle, governance, pricing) and every calldata builder (POST /v1/tx/...) is unauthenticated. There are no API keys to manage and no per-request signatures to compute.

That's safe because:

  • Reads observe public on-chain state.
  • Calldata builders only encode bytes — they don't sign or send anything. The actual security comes from the signing step, which happens in your wallet, not on our server.

GET /v1/me — Rift bearer

The single authenticated endpoint, used to identify the user a BlockFinaX front-end is logged in as.

curl https://api.blockfinax.com/v1/me \
  -H "Authorization: Bearer <rift access token>"

Response:

{
  "data": {
    "address": "0xcab3147911130fcd3b08fce2ef4bf1e28f76e894",
    "email": "user@example.com",
    "phoneNumber": null,
    "externalId": null,
    "user": "user-uuid"
  }
}

The access token comes from the Rift Finance SDK / widget when a user signs in. The integrator API verifies the token by calling Rift's /user/me upstream (cached 60 s).

Errors

StatuscodeWhen
401unauthorizedNo Authorization header, or the bearer is malformed/empty
401unauthorizedRift rejected the token (expired, revoked, never issued)

Why no API key for the calldata builders?

We considered it. The reason the answer is no:

  • The server doesn't custody anything. Calldata is just encoded bytes.
  • Rate-limiting via API key would only protect us (CPU spend on encoding), not the user.
  • Adding a key barrier slows integration: every new integrator would need a key flow before they could try curl against a single endpoint.

If you're operating a high-volume bot, just hammer the read endpoints; if you start seeing 429s in the future, we'll add per-IP rate limits.

Reserved: admin token

The OpenAPI schema declares an adminToken security scheme (x-admin-token header). It's reserved for admin endpoints that don't exist in /v1 yet — they'll appear if/when we add server-side governance helpers. None of the current endpoints require it.