Authentication and API Keys
This guide will walk you through the two different credentials you need to work with Portal.
Last updated
Was this helpful?
This guide will walk you through the two different credentials you need to work with Portal.
Last updated
Was this helpful?
There are two different types of authentication used with Portal integration: a Portal API Key for server side requests and a Client Session Token (also shown as Client API Key) for authenticating SDK users.
The Portal API Key is used server side to create new Client Session Tokens, fetch information about clients, or access other endpoints in the .
The Client API Key is used to initialize the Portal SDKs in order to authenticate an end user ("client"). It can also be used with the Enclave MPC API or other endpoints in the .
This is the API key used by your server to make requests to Portal.
Log in to .
Navigate to Settings -> Custodian API Key.
Press "New" to create a new Portal API Key.
Users (clients) are required to authenticate their devices to Portal in order to create wallets and submit transactions. Client Session Tokens (CST) are short-lived, auto-refreshing tokens used to authenticate users to Portal.
Short-Lived CSTs expire after 24 hours of no activity. After this, a new CST must be requested from your backend.
Auto-Refreshing Every authenticated request with a CST updates the token's expiry to 24 hours from that request time. There's a max refresh duration of 7 days, after which a CST can no longer be auto-refreshed.
The goal of this system is keep sessions short (reducing attack windows) while minimizing the number of requests needed to create sessions.
Active User: If a user uses Portal daily, their CST expiry extends by 24 hours each day. They'll need a new CST from your backend only once per week (after hitting the 7-day max refresh duration).
Inactive User: Users logging in after a few days or weeks will need a new CST from your backend on every login since CSTs expire after 24 hours.
Navigate to Settings -> Test Client API Keys.
Press "New" to create a new Client API Key.
To authenticate mobile users with Portal, they need a unique Client Session Token. Request this token from your backend using the Portal API Key, then share it with mobile users after they log in.
When a user first registers for your mobile app, use your Portal API Key to create a Client Session Token. Remember to associate the returned clientId with the user in your system.
When the token needs refreshing (during later logins), use the following endpoint:
Your user can now use this refreshed clientSessionToken.
Before going live with real users, always ensure that you create clients using a Portal API Key from your Portal's Production environment. Read more on going live with real users.
If you'd like to quickly test out a Portal SDK or the you can generate a Client API Key from the Portal Admin dashboard! It has the same permissions as a Client Session Token, except that it doesn't expire. This is helpful for development!
Log in to .
When your user's CST expires, all Portal SDKs will throw an error on the next MPC Operation the user makes (e.g. creating a wallet, backing up a wallet, recovering a wallet, or signing). That error will include in the SDK methods, which you can use as an indicator to refresh your CST.
