Skip to main content

Authentication

All Long.xyz APIs require authentication via API key and are protected by rate limiting and CORS policies.

API Key Authentication

Every API request must include your API key in the X-API-KEY header: 
X-API-KEY: your-api-key-here

const response = await fetch('https://api.long.xyz/v1/assets', {
  headers: {
    'X-API-KEY': 'your-api-key-here',
  },
});

Security & Access Control

Rate Limiting

Our APIs implement fair usage rate limiting to ensure service quality for all users. If you exceed the rate limit, you’ll receive a 429 Too Many Requests response.

CORS Protection

All API endpoints are protected by CORS (Cross-Origin Resource Sharing) policies. Server-Side Usage (No CORS Issues):
  • Server-to-server requests (backend APIs, cron jobs, etc.)
  • Server-Side Rendering (SSR) - Next.js, Nuxt, SvelteKit, etc.
  • Node.js scripts and services
These environments can use API keys directly without CORS configuration since requests originate from the server. Client-Side Usage (Requires CORS Whitelisting):
  • Browser-based requests (Single Page Applications)
  • Any scenario where the API key is visible in browser Network tab
If you plan to make API calls from the browser (where the API key will be exposed in the network tab), you must contact us to whitelist your domains for CORS.
Never expose your API key in client-side code for production applications. Use server-side proxies or contact us for CORS whitelisting if browser requests are necessary.

Getting Access

To consume Long.xyz APIs, you must:
  1. Obtain an API Key - Contact the Long.xyz team to request your API key
  2. Whitelist Your Domains (if needed) - Required only for client-side/browser requests. Provide the domains that will make API requests for CORS configuration
Contact Long.xyz support to set up your API access and domain whitelist.

Best Practices

  • Store your API key securely (use environment variables)
  • Never expose your API key in client-side code or public repositories
  • Implement proper error handling for rate limit responses
  • Consider implementing request caching to minimize API calls