Skip to main content

Overview

Onchain Suite supports different auth models depending on where the integration runs.

Common Patterns

Browser App

For same-site product experiences, the recommended pattern is an authenticated session with cookies enabled.

Embedded Or Non-Browser Client

When a browser session is not available, a bearer token or session token can be used for the specific flow you are embedding.

Publishable Keys

Publishable keys are designed for safe client-side flows such as wallet-first identity and in-app challenge or verification steps.

Secret Keys

Secret keys are for server-to-server protocol operations such as secure dispatch or backend-only delivery workflows. They should never appear in client code.

Practical Guidance

  • Keep browser auth and protocol server auth separate.
  • Store secret keys in server-side infrastructure only.
  • Rotate secrets regularly and keep clear ownership for each active key.
  • Scope requests to the correct organization or project context when required.