Overview
Onchain Suite supports different auth models depending on where the integration runs.Common Patterns
Browser App
For same-site product experiences, the recommended pattern is an authenticated session with cookies enabled.Embedded Or Non-Browser Client
When a browser session is not available, a bearer token or session token can be used for the specific flow you are embedding.Publishable Keys
Publishable keys are designed for safe client-side flows such as wallet-first identity and in-app challenge or verification steps.Secret Keys
Secret keys are for server-to-server protocol operations such as secure dispatch or backend-only delivery workflows. They should never appear in client code.Practical Guidance
- Keep browser auth and protocol server auth separate.
- Store secret keys in server-side infrastructure only.
- Rotate secrets regularly and keep clear ownership for each active key.
- Scope requests to the correct organization or project context when required.

