Thunderbit Authentication: Methods, Setup, and Security (2026)

Authentication overview

Thunderbit provides access to its Solana blockchain data and services through a set of APIs, including Solana RPC, Transaction History, and Webhooks. Authentication for these services is primarily managed using API keys. An API key serves as a unique identifier and secret token that an application uses to authenticate itself when making requests to the Thunderbit API. This mechanism allows Thunderbit to verify the identity of the requesting client and enforce access policies, such as rate limits and feature availability based on the user's subscription plan. All API requests to Thunderbit must be made over HTTPS to ensure that data in transit is encrypted and protected from eavesdropping and tampering, aligning with industry-standard security practices for API interactions Cloudflare's explanation of HTTPS.

The use of API keys simplifies the authentication process for developers, allowing for quick integration and deployment of applications that interact with the Solana network. Developers are responsible for securely managing their API keys to prevent unauthorized access to their Thunderbit account and associated services. Thunderbit's documentation provides specific instructions on how to obtain and use these keys, along with recommendations for secure handling Thunderbit API overview.

Supported authentication methods

Thunderbit primarily supports API key authentication for accessing its services. This method is common for API providers due to its simplicity and effectiveness in controlling access to resources. The API key is typically passed in the request header or as a query parameter, depending on the specific endpoint and request type.

Here's a breakdown of the supported authentication method:

For Solana RPC calls, the API key ensures that requests are attributed to the correct account for billing and rate limiting. For Webhooks, authentication might also involve signature verification, where Thunderbit sends a signature with the webhook payload that your application can use to verify the authenticity of the incoming request. This protects against spoofed webhook events and ensures that only legitimate notifications from Thunderbit are processed by your system PayPal webhook verification guide.

Getting your credentials

To authenticate with Thunderbit's APIs, you will need to obtain an API key from your Thunderbit dashboard. The process generally involves the following steps:

1. Account Creation: If you don't already have one, sign up for a Thunderbit account on their official website. This typically involves providing an email address and creating a password.
2. Dashboard Access: Once registered and logged in, navigate to your Thunderbit dashboard. This is the central hub for managing your projects, viewing usage metrics, and accessing your API keys.
3. API Key Generation: Within the dashboard, there should be a section dedicated to API keys or project settings. You may need to create a new project or select an existing one to generate or view API keys. Thunderbit allows users to generate multiple API keys, which can be useful for different environments (e.g., development, staging, production) or for different applications, enabling better key rotation and access control Thunderbit documentation.
4. Key Retrieval: Once generated, your API key will be displayed. It is crucial to copy this key immediately and store it securely, as it may not be displayed again for security reasons. Treat your API key as you would a password.

Refer to the official Thunderbit documentation for the most up-to-date and precise instructions on generating and managing your API keys, as the user interface and specific steps may evolve over time Thunderbit's official documentation portal.

Authenticated request example

This example demonstrates how to make an authenticated request to a Thunderbit Solana RPC endpoint using an API key. The API key is typically passed as a query parameter in the URL. For this example, we'll use a cURL command, which is a common way to test API endpoints.

Assume your Thunderbit API endpoint for Solana RPC is https://api.thunderbit.io/v1/solana/mainnet and your API key is YOUR_THUNDERBIT_API_KEY.

curl -X POST \
  'https://api.thunderbit.io/v1/solana/mainnet?api_key=YOUR_THUNDERBIT_API_KEY' \
  -H 'Content-Type: application/json' \
  -d '{
    "jsonrpc": "2.0",
    "id": 1,
    "method": "getHealth"
  }'

In this example:

• -X POST specifies the HTTP method as POST.
• 'https://api.thunderbit.io/v1/solana/mainnet?api_key=YOUR_THUNDERBIT_API_KEY' is the API endpoint URL, with the API key appended as a query parameter.
• -H 'Content-Type: application/json' sets the Content-Type header, indicating that the request body is JSON.
• -d '...' provides the JSON request body, which in this case is a standard Solana RPC getHealth method call.

Replace YOUR_THUNDERBIT_API_KEY with your actual API key obtained from the Thunderbit dashboard. For specific language implementations (e.g., Python, JavaScript), the approach for including the API key will vary, but the fundamental principle of passing it with the request remains consistent. Thunderbit's API reference offers detailed examples for various programming languages Thunderbit API reference examples.

Security best practices

Securing your Thunderbit API keys is critical to prevent unauthorized access to your account and Solana infrastructure. Adhering to security best practices helps protect your applications and data.

1. Keep API Keys Confidential: Never hardcode API keys directly into public-facing client-side code (e.g., JavaScript in a browser). If building a client-side application, route requests through a backend server that can securely store and manage the keys.
2. Use Environment Variables: When deploying applications, store API keys as environment variables rather than directly in your codebase. This prevents them from being exposed in version control systems and allows for easier key rotation without code changes. For example, in Node.js, you might access process.env.THUNDERBIT_API_KEY.
3. Restrict Access Control: Ensure that only authorized personnel have access to your Thunderbit dashboard and API keys. Implement role-based access control (RBAC) where available within your organization.
4. Implement Key Rotation: Regularly rotate your API keys. If a key is compromised, changing it minimizes the window of exposure. Thunderbit's dashboard should provide functionality to generate new keys and revoke old ones.
5. Monitor Usage: Periodically review your Thunderbit API usage metrics in your dashboard. Unexpected spikes in usage could indicate a compromised key or unauthorized activity.
6. Enforce HTTPS/TLS: Always ensure that all communications with the Thunderbit API are made over HTTPS. This encrypts the data in transit, protecting your API key and request payloads from interception. Thunderbit enforces HTTPS, but it's essential to confirm your client-side configurations also use it MDN web docs on TLS.
7. IP Whitelisting (if available): If Thunderbit offers IP whitelisting, configure it to allow API requests only from a specific set of trusted IP addresses. This adds an extra layer of security by blocking requests from unknown locations.
8. Avoid Sharing Keys: Do not share API keys unnecessarily. Each developer or service should ideally use its own key, if supported, to allow for granular access control and easier auditing.
9. Secure Development Practices: Follow general secure coding practices, such as input validation and error handling, to prevent common vulnerabilities that could expose sensitive information, including API keys.

By implementing these practices, developers can significantly enhance the security posture of their applications integrating with Thunderbit's Solana services.