Secure Infura project key

Nhan Cao
2 min readOct 19, 2022



  • Frontend/Mobile app:
    + Requests: 10/sec, 5000/day
    + Allowlists: Origins, Contract addresses, User agents (optional)
    + JWT required: Public (short expiration), Signed (long expiration)
  • BE service:
    + Requests: x0/sec, x000/day
    + Allowlists: Contract addresses, User agents (optional)
    + Project secret required: JWT or API secret

Secure with API key secret

-d '{"jsonrpc":"2.0","method":"eth_blockNumber","params":[],"id":1}'

There 2 ways to serve:

#1. Add basic authentication to header:

Header {
Authorization: Basic base64(':<INFURA-API-KEY-SECRET>')

Use custom headers and agent of web3:

#2. Use credentialed URLs


Secure with JWTs

Client uses a pair (public + private keys + registered Infura public key id ) to gen a JWT token. Infura will use the public key to verify the token.

#1. Generate JWT key:

ssh-keygen -t rsa -P "" -b 4096 -m PEM -f jwtRS256.keyssh-keygen -e -m PEM -f jwtRS256.key >

#2. Add public key to Infura. The key has a NAME, ID (JWT-ID), FINGERPRINT. These are used for creating and verifying JWTs.