Authentication

Most Stridge endpoints authenticate with a secret API key sent in the X-API-Key request header. Two read-only endpoints are public and need no key at all.

Authenticated request

curl "https://api.stridge.dev/v1/uda" \
  -H "X-API-Key: $STRIDGE_API_KEY"

A missing or invalid key on a protected endpoint returns 401 with the standard error envelope.

Getting a key

Mint keys from the Stridge dashboard. Each environment has its own keys — a sandbox key only works against api.stridge.dev, and a production key only against api.stridge.com. Keys are secret; treat them like passwords.

Public vs. authenticated endpoints

These endpoints are public — call them with no key:

Get a cross-chain / cross-asset quote — GET /uda/quote
List UDA-supported assets — GET /uda/supported-assets

Every other endpoint requires the X-API-Key header:

List UDA addresses — GET /uda
Create a UDA address — POST /uda
List settlements for a UDA address — GET /uda/{id}/settlements
Get a settlement — GET /uda/settlements/{id}
List settlements by reference — GET /uda/settlements/by-reference

Keeping your key safe

Warning

Your API key carries the full permissions of your account. Never ship it in a browser bundle, mobile app, or any client a user can inspect — call Stridge from your server and keep the key server-side.

Server-side only. Make Stridge calls from your backend; never expose the key to end users.
Use sandbox for development. Point local and CI environments at api.stridge.dev with a sandbox key.
Rotate on exposure. If a key leaks, revoke it in the dashboard and issue a new one.
The docs console is the exception you can trust. The Try it console on each endpoint page stores your key in your browser's localStorage and sends it straight to the Stridge API — it never reaches Stridge's docs servers. Use a sandbox key there.