Authentication overview

1inch provides access to its decentralized finance (DeFi) protocols, such as the Aggregation Protocol and Limit Order Protocol, primarily through API keys. These keys serve as a mechanism to identify and authorize client applications making requests to the 1inch API endpoints. The authentication model focuses on simplicity and direct access, enabling developers to integrate token swapping and liquidity routing functionalities efficiently into their applications.

While direct blockchain interactions inherently use cryptographic signatures for transaction authorization, API keys are essential for accessing the centralized components of the 1inch infrastructure, such as data retrieval, optimal route calculation, and other services that precede on-chain execution. This approach allows 1inch to offer optimized routes and data services without requiring a full wallet connection for every API call, streamlining developer experience while maintaining security at the blockchain layer for actual asset transfers.

Developers interacting with the 1inch API will use their generated API keys to sign requests, ensuring that only authorized applications can query the 1inch services. This system helps prevent unauthorized access to sensitive data and service abuse, forming a critical layer of security for the 1inch ecosystem. For detailed integration steps, developers can refer to the 1inch Aggregation Protocol API reference.

Supported authentication methods

1inch primarily supports API key authentication for programmatic access to its services. This method is standard for many web APIs, providing a straightforward way to manage access control.

The table below summarizes the key authentication method supported by 1inch:

Method When to Use Security Level
API Key (HTTP Header) Accessing the 1inch Aggregation Protocol and other API services for data retrieval and route optimization. Moderate (relies on key secrecy and secure transmission over HTTPS).

API Key Authentication:

  • Mechanism: API keys are typically passed in the HTTP Authorization header or as a query parameter in API requests. 1inch documentation specifies the exact method for specific endpoints, typically preferring a header for security.
  • Purpose: Identifies the application making the request and grants access based on the permissions associated with that key.
  • Security Considerations: API keys should be treated as sensitive credentials. Their compromise can lead to unauthorized API usage. All API communication with 1inch must occur over HTTPS (TLS) to encrypt the API key in transit, protecting it from eavesdropping, as outlined in security best practices for Transport Layer Security.

Getting your credentials

To obtain API keys for 1inch, developers typically follow a registration process through the 1inch developer portal or dashboard. The specific steps involve:

  1. Developer Portal Registration: Navigate to the 1inch developer documentation and locate the section for API key generation. You may need to create an account or log in to an existing one.
  2. Dashboard Access: Once logged in, there should be a dedicated section or dashboard where you can manage your applications and generate new API keys.
  3. Key Generation: Follow the prompts to generate a new API key. During this process, you might be asked to provide a name for your application or specify the intended use case. This helps in organizing and tracking API key usage.
  4. Key Storage: Immediately upon generation, the API key will be displayed. It is crucial to copy and store this key securely. In most cases, API keys are displayed only once and cannot be retrieved later. If lost, you will need to generate a new key and revoke the old one.
  5. Permissions and Scopes (if applicable): Depending on the 1inch service or future enhancements, you might be able to define specific permissions or scopes for your API key, limiting its access to only the necessary functionalities. Refer to the official 1inch documentation for the latest information on API key capabilities.

It's important to review the terms of service and any usage limits associated with API keys to ensure compliance and avoid service interruptions.

Authenticated request example

When making an authenticated request to the 1inch Aggregation Protocol, your API key will be included in the HTTP headers. The following example demonstrates a common way to make a GET request using a placeholder API key. For actual API endpoints and parameters, consult the 1inch API reference.

Example using cURL:

curl -X GET \
  'https://api.1inch.io/v5.0/1/swap?fromTokenAddress=0xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee&toTokenAddress=0x6b175474e89094c44da98b954eedeac495271d0f&amount=1000000000000000000&fromAddress=0xc57C60B3F1179B7181F5b5079a4993630f9d92eC&slippage=1&disableEstimate=true' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer YOUR_1INCH_API_KEY'

In this example:

  • -X GET specifies the HTTP method.
  • The URL is a hypothetical 1inch API endpoint for a swap quote (the actual URL and parameters will vary).
  • -H 'accept: application/json' sets the expected response format.
  • -H 'Authorization: Bearer YOUR_1INCH_API_KEY' is the crucial part for authentication. Replace YOUR_1INCH_API_KEY with your actual 1inch API key. The Bearer prefix is a common convention for API key and OAuth 2.0 token authentication, indicating a bearer token as described in RFC 6750 for Bearer Token Usage.

Example using Python (requests library):

import requests

api_key = "YOUR_1INCH_API_KEY"
headers = {
    "accept": "application/json",
    "Authorization": f"Bearer {api_key}"
}

# Example for a swap quote endpoint
url = "https://api.1inch.io/v5.0/1/swap"
params = {
    "fromTokenAddress": "0xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee",
    "toTokenAddress": "0x6b175474e89094c44da98b954eedeac495271d0f",
    "amount": "1000000000000000000",
    "fromAddress": "0xc57C60B3F1179B7181F5b5079a4993630f9d92eC",
    "slippage": "1",
    "disableEstimate": "true"
}

response = requests.get(url, headers=headers, params=params)

if response.status_code == 200:
    print("Request successful:")
    print(response.json())
else:
    print(f"Error: {response.status_code}")
    print(response.text)

Remember to always replace placeholder values with your actual API key and consult the 1inch API documentation for the most current endpoint paths and parameters.

Security best practices

Securing your 1inch API keys and ensuring the integrity of your integrations is paramount. Adhering to these best practices helps mitigate risks associated with API key compromise:

  • Keep API Keys Confidential: Treat your 1inch API keys like passwords. Never hardcode them directly into client-side code, commit them to public version control systems (e.g., GitHub), or expose them in public-facing applications.
  • Use Environment Variables: Store API keys in environment variables or a secure configuration management system on your server. This prevents them from being directly visible in your codebase. For serverless environments, consider using secrets management services offered by cloud providers like AWS Secrets Manager documentation or Google Cloud Secret Manager overview.
  • HTTPS Everywhere: Always ensure that all communication with the 1inch API occurs over HTTPS. This encrypts your API key and request data in transit, protecting against man-in-the-middle attacks. 1inch API endpoints are typically served exclusively over HTTPS.
  • Implement Rate Limiting: While 1inch may have its own rate limits, implement client-side rate limiting in your application. This can help prevent abuse of your API key if it were ever compromised, limiting the number of requests an attacker could make.
  • Rotate API Keys Regularly: Periodically generate new API keys and revoke old ones. This practice reduces the window of opportunity for a compromised key to be exploited.
  • Monitor API Key Usage: If 1inch provides usage metrics or logs, regularly review them for any unusual activity that might indicate unauthorized use of your API key.
  • Restrict API Key Permissions (if available): If 1inch offers granular permissions or scopes for API keys, assign only the minimum necessary permissions required for your application's functionality. This limits the damage a compromised key can cause.
  • Validate and Sanitize Inputs: Always validate and sanitize any user-supplied input before using it in API requests to prevent injection attacks and other vulnerabilities.
  • Secure Your Development Environment: Ensure that your development machines and build pipelines are secure to prevent API keys from being exposed during the development and deployment process.