For protocol-specific ways of passing authentication, please refer to each protocol:

Types of keys

There are two sorts of keys in the dfuse ecosystem:

  1. A long-lived API key - will resemble server_abcdef123123123000000000000000000, used to generate short-lived JWT.
  2. A short-lived JWT - used when performing any call on the dfuse Platform, which looks like:


Obtaining a Long-Lived API Key

Once you have created an account through the dfuse portal you will be able to obtain an API key.

  1. Click on “GENERATE NEW KEY” and you’ll now be able to start customizing your key for your specific needs.
  2. Assign the API key a name so that you’ll be able to differentiate it from other API keys that you generate.

Obtaining a Short-Lived JWT

Once you have this API key, call the endpoint to obtain a fresh Authentication Token using the following command. Do not forget to replace the API key by your own!

curl -XPOST \
  -H "Content-Type: application/json" \
  --data '{"api_key":"web_abcdef12345678900000000000"}' \

fetch("", {
  method: "POST",
  body: JSON.stringify({
    api_key: "web_abcdef12345678900000000000"
  headers: {
    "Content-Type": "application/json"
.then(res => res.json())
.then(console.log) // Cache JWT (for up to 24 hours)

import requests

headers = {
    'Content-Type': 'application/json',

data = '{"api_key":"web_abcdef12345678900000000000"}'

# Cache JWT response (for up to 24 hours)
response ='', headers=headers, data=data)

package main

import (

func main() {
	client := &http.Client{}
	var data = []byte(`{{"api_key":"web_abcdef12345678900000000000"}}`)
	req, err := http.NewRequest("POST", "", data)
	if err != nil {
	req.Header.Set("Content-Type", "application/json")
	resp, err := client.Do(req)
	if err != nil {
	bodyText, err := ioutil.ReadAll(resp.Body)
	if err != nil {

  // Cache JWT response (for up to 24 hours)
	fmt.Printf("%s\n", bodyText)

# Use this in your .bashrc to speed your development environment

# Replace this variable by an API key you got from
export DFUSE_KEY=web_abcdef12345678900000000000
function dfusetoken {
    DFUSE_TOKEN=$(curl -s --data-binary '{"api_key":"'$DFUSE_KEY'"}' | jq -r .token)
    export DFUSE_TOKEN

The return value from the API:

String     The JWT to be used with all API calls, including WebSocket.
Timestamp     An UNIX timestamp (UTC) indicating when the JWT will expire.

Our client-js library will handle the token issuance and caching for you if you decide to utilize it. You can also consult a working reference example if you would like to follow along with some sample TypeScript code.


To learn more about JWTs, you can consult

Each JWT is valid for a period of 24 hours. Make sure to cache those values to avoid hitting rate limiting on JWT issuance.


The token will be validated only upon connection establishment, and will never provoke a disconnection even if it expires during that connection’s lifetime.

Lifecycle of Short-Lived JWTs

Each JWT has an expiration date, so it is important to take that into account before making a request to the dfuse APIs. Here is the recommended procedure to take before making a request:

  1. Retrieve the JWT, and examine it’s expiration time
  2. If the JWT is past its expiration time, is near expiration, or is absent from cache, fetch a new one through the /v1/auth/issue endpoint, and cache the response.
  3. Call dfuse with the valid JWT token.

Each time you get a fresh JWT, it contains the updated expiration time and the token itself.

GraphQL Authentication

Using the apollo-client .

When doing POST calls to the /graphql endpoint, you must specify the Authorization header, exactly like any other REST calls.

GraphQL over gRPC Authentication

Using the language of your choice, use the OAuth2 authentication method with gRPC. Set the OAuth2 Access Token to be your JWT, and if required, specify Bearer as the method. This will set the authorization gRPC header, similiar to the HTTP header of the same name.

Refer to the official gRPC guides to see how to apply it to your language of choice.