DocumentationAPIAuthentication

API Authentication

Learn how to authenticate with the Solana Index Fund API to access protected endpoints.

Authentication Methods

The Solana Index Fund API supports two authentication methods, depending on the type of access required:

API Key Authentication

Used for server-to-server communication and accessing user-specific data. API keys provide full access to all endpoints based on the permissions granted to the key.

  • Secure and revocable
  • Rate limits based on tier
  • Can be scoped to specific endpoints
  • Ideal for backend applications

JWT Authentication

Used for user authentication in web and mobile applications. JWTs (JSON Web Tokens) are issued after a successful wallet authentication and provide temporary access to user-specific endpoints.

  • Short-lived tokens (24 hours)
  • Refreshable with refresh tokens
  • Contains user identity information
  • Ideal for frontend applications

Public endpoints that provide market data and index information do not require authentication, but they are subject to stricter rate limits compared to authenticated requests.

API Key Authentication

API keys are long-lived credentials that provide access to the Solana Index Fund API. They are intended for server-to-server communication and should be kept secure.

Obtaining an API Key

  1. Create an Account: Sign up for a Solana Index Fund account and complete the verification process.
  2. Navigate to API Settings: In your account dashboard, go to the "API Settings" section.
  3. Generate API Key: Click on "Generate API Key" and provide a name and description for the key.
  4. Select Permissions: Choose the permissions you want to grant to the API key based on your needs.
  5. Complete Generation: Click "Generate" to create the API key. Make sure to copy and store it securely, as it will only be shown once.

Using API Keys

To authenticate with an API key, include it in the Authorization header of your HTTP requests:

Authorization: Bearer YOUR_API_KEY

Example request using cURL:

curl -X GET "https://api.sindex.world/v1/user/portfolio" \ -H "Authorization: Bearer YOUR_API_KEY"

API Key Security Best Practices

  • Never expose API keys in client-side code (JavaScript, mobile apps, etc.) where they could be extracted by users.
  • Use environment variables to store API keys in your server-side applications rather than hardcoding them.
  • Implement the principle of least privilege by only granting the permissions that are necessary for your use case.
  • Rotate API keys regularly, especially if you suspect they may have been compromised.
  • Monitor API key usage to detect unusual patterns that might indicate unauthorized access.

JWT Authentication

JWT (JSON Web Token) authentication is used for user-specific access in web and mobile applications. JWTs are issued after a successful wallet authentication and contain encoded information about the user.

JWT Authentication Flow

  1. Wallet Authentication: The user authenticates with their Solana wallet by signing a message using the signMessage API (or legacy signTransaction for older wallets).
  2. Signature Verification: The server verifies the signature against the user's public key using ed25519 verification.
  3. Token Issuance: Upon successful verification, the server issues an access token (JWT) and a refresh token.
  4. Token Usage: The client includes the access token in the Authorization header of subsequent API requests.
  5. Token Verification: The server verifies the token's signature and expiration before processing the request.
  6. Token Refresh: When the access token expires, the client can use the refresh token to obtain a new access token without requiring the user to re-authenticate.

Using JWT Authentication

To authenticate with a JWT, include it in the Authorization header of your HTTP requests:

Authorization: Bearer YOUR_JWT_TOKEN

Example request using JavaScript fetch:

fetch('https://api.sindex.world/v1/user/portfolio', {
  method: 'GET',
  headers: {
    'Authorization': 'Bearer ' + jwtToken,
    'Content-Type': 'application/json'
  }
})
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));

JWT Token Structure

A JWT consists of three parts separated by dots: header, payload, and signature.

Header

{
  "alg": "RS256",
  "typ": "JWT"
}

Payload

{
  "sub": "user_123456",
  "wallet": "7Lf2U6kZK6TqJ4d4BWK3TYsy7ZrXksu5oEAXpgAHbMR9",
  "permissions": [
    "read:index",
    "read:portfolio",
    "write:transactions"
  ],
  "iat": 1684152000,
  "exp": 1684238400,
  "nonce": "a1b2c3d4e5f6"
}

Signature

The signature is created by signing the encoded header and payload using the algorithm specified in the header and a secret key held by the server.

Token Refresh

JWT access tokens have a limited lifespan (24 hours) for security reasons. To maintain a seamless user experience, you can use refresh tokens to obtain new access tokens without requiring the user to re-authenticate.

Refresh Token Flow

  1. Detect Expired Token: When an API request returns a 401 Unauthorized error with the reason "token_expired", it's time to refresh the token.
  2. Send Refresh Request: Make a POST request to the token refresh endpoint with the refresh token.
  3. Receive New Tokens: If the refresh token is valid, the server will issue a new access token and possibly a new refresh token.
  4. Update Stored Tokens: Replace the old tokens with the new ones in your application's storage.
  5. Retry Original Request: Retry the original API request with the new access token.

Refresh Token Endpoint

To refresh an access token, make a POST request to the token refresh endpoint:

POST https://api.sindex.world/v1/auth/refresh

Request body:

{
  "refresh_token": "YOUR_REFRESH_TOKEN"
}

Response example:

{
  "success": true,
  "data": {
    "access_token": "NEW_ACCESS_TOKEN",
    "refresh_token": "NEW_REFRESH_TOKEN",
    "expires_in": 86400
  }
}

Refresh tokens have a longer lifespan (30 days) than access tokens but are still eventually expired for security reasons. If a refresh token expires, the user will need to re-authenticate with their wallet.

Rate Limiting

The Solana Index Fund API implements rate limiting to ensure fair usage and protect the service from abuse. Rate limits vary based on the authentication method and tier.

Authentication TypeTierRate LimitBurst Limit
No AuthenticationPublic60 requests per minute100 requests
JWT AuthenticationStandard120 requests per minute200 requests
API KeyBasic300 requests per minute500 requests
API KeyPremium1,000 requests per minute1,500 requests
API KeyEnterpriseCustomCustom

Rate Limit Headers

The API includes rate limit information in the response headers:

HeaderDescription
X-RateLimit-LimitThe maximum number of requests allowed per minute
X-RateLimit-RemainingThe number of requests remaining in the current rate limit window
X-RateLimit-ResetThe time at which the current rate limit window resets in UTC epoch seconds

When a rate limit is exceeded, the API returns a 429 Too Many Requests response with information about when the rate limit will reset.

API EndpointsSmart Contracts
HomeTreasuryStakingPresaleRedeem