API Keys

Securely manage authentication credentials for your Okto integration

Understanding Okto API Credentials

The Okto API credentials are essential for integrating Okto into your application. They authenticate your requests and associate them with your Okto Dashboard account. Okto provides two essential credentials for integrating with your application:

  1. App ID (Client ID / Client SWA): A public identifier for your application
  2. App Secret (Client API Key / Client Private Key): A confidential key for secure authentication

These credentials work together to authenticate your requests to the Okto platform and ensure secure communication between your application and Okto's services.

App ID / Client ID / Client SWA

The App ID is a unique identifier for your application and you as a Client. It is the smart contract address associated with the client's Smart Wallet Account (SWA). It's used to associate your Okto client with this specific app in our system.

Steps to Access App ID

  1. Log in to the Okto Dashboard.

  2. Navigate to the API Keys section from the sidebar menu.

API Page - Okto Dashboard

  1. Locate the App ID displayed at the top of the API Keys page.

  2. Click the Copy button to copy the App ID to your clipboard.


App Secret / Client API Key / Client Private Key

The App Secret is a confidential key used to authenticate your API requests. This is the private key (EVM ECDSA like 0x...) of the authority of the client SWA on the Okto Chain. Keep this secret secure and never share it publicly or include it in client-side code. In case the key is compromised, you can always reset the authority.

Steps to Access App Secret

  1. Log in to the Okto Dashboard.

  2. Navigate to the API Keys section from the sidebar menu.

  3. Click the Get App Secret button. You may be prompted to re-authenticate.

  4. Once revealed, copy and securely store the App Secret. We recommend that you download this value and store it somewhere safe.

API Page - Okto Dashboard

Note

  • App ID and App Secret pairs are unique for each environment (e.g., sandbox, production).
  • Ensure you're using the correct pair for the environment you're working in.
  • Okto does not store your API secret so keep it safe and secret.

Storing App Secret

  • How Okto stores it: Okto does not store client API secrets. If the App Secret is lost, it can be reset.
  • How you should store it:
    • Use environment variables or secure secret management systems.
    • Never hardcode the secret in your application code.
    • Avoid storing it in version control systems like Git.

Reset App Secret

If you lose your App Secret or suspect unauthorized use:

  1. Go to the API Keys section on the dashboard.

API Page - Okto Dashboard

  1. Click the Reset button next to the App Secret field.

  2. A new App Secret will be generated. Copy the App Secret and store it securely.

  3. Update all your applications with the new secret to avoid service disruption.

Note

  • If someone obtains your App ID and App Secret, they could potentially make unauthorized requests on behalf of your application.
  • In case of a suspected breach, immediately regenerate your App Secret and update your applications.

FAQ

1. What is the difference between App ID and App Secret for Clients?

  • App ID: A public identifier for your application used to associate your client with Okto. It also the contract address of your client SWA on the okto chain.

  • App Secret: A private key used to authenticate requests from your application to Okto's servers. It is also referred to as CLIENT PRIVATE KEY/ CLIENT API KEY in the docs.

2. How do I know which environment (sandbox/production) my API keys belong to?

Each environment’s keys are managed separately. Ensure the environment is indicated in your dashboard (e.g., "Sandbox" or "Production") before copying your keys.

3. What should I do if I accidentally expose my App Secret?

Immediately reset your App Secret through the dashboard and update it in your applications to prevent unauthorized access.

4. Can I use the same credentials across multiple applications?

While technically possible, we recommend using separate credentials for each application for better security and management.


Next Steps

With your Okto credentials in hand, you're ready to:

  1. Enable Chains and Tokens for your application
  2. Configure Sponsorship (optional)
  3. Integrate with the Okto SDK

On this page