Authentication

SwiftNodes never stores passwords. You can sign in with a wallet (Sign-In With Ethereum) or with an email one-time code. Once signed in, every RPC request uses an API key.

API Key Authentication

Every RPC request requires an API key. Pass it as a query parameter or header:

# Query parameter (recommended)
POST https://rpc.swiftnodes.io/rpc/eth?key=YOUR_API_KEY

# Header
POST https://rpc.swiftnodes.io/rpc/eth
x-api-key: YOUR_API_KEY

Sign-In With Ethereum (SIWE)

Dashboard access via wallet uses the SIWE standard (EIP-4361). The flow is:

  1. Request a nonce: GET /api/auth/nonce?wallet=0x...
  2. Sign the SIWE message with MetaMask
  3. Submit signature: POST /api/auth/verify
  4. Receive a session token valid for 7 days

Email + One-Time Code

If you prefer not to use a wallet, sign in with email. We send a 6-digit code that expires in 10 minutes — no password is ever stored.

  1. Request a code: POST /api/auth/email/start with { email }. Response includes isNew (whether the account is being created) and a 60-second resend cooldown.
  2. Check your inbox for the 6-digit code
  3. Submit the code: POST /api/auth/email/verify with { email, pin }
  4. Receive a session token valid for 7 days

Codes are rate-limited per email and per IP. After 5 incorrect attempts you'll need to request a new code.

Session & Logout

Pass the session token in the x-session-token header on dashboard requests. Look up current session info via GET /api/auth/session?token=.... Sign out and revoke the token with POST /api/auth/logout.

Linking Methods

An account can have both a wallet and an email — either signs you into the same account. From your dashboard:

  • Email-only user adding a wallet: POST /api/auth/link-wallet with a SIWE message + signature.
  • Wallet-only user adding email login: POST /api/auth/link-email/start, then /link-email/verify with the 6-digit code — email ownership is verified before it can be used to sign in.

API Key Management

From your dashboard you can:

  • Create additional API keys with custom labels
  • Revoke compromised keys instantly
  • All keys share your plan's rate limits

Security Best Practices

  • Never expose your API key in client-side code
  • Use environment variables to store keys
  • Rotate keys periodically
  • Use separate keys for development and production