AU.RO RPC Docs

Appearance

Security

Key handling

  • Never ship an API key in client-side code. Anyone reading your app bundle can drain your CU budget and rate limits. Proxy RPC calls through your backend, or issue per-environment keys you can revoke fast.
  • Environment variables over config files. Every snippet in these docs reads YOUR_API_KEY from the environment — copy that pattern.
  • One key per deployable unit. Separate keys for staging/production/CI make revocation surgical and usage attributable. Keys are free.
  • Rotate on suspicion, not on schedule. Create-new → deploy → revoke-old is zero-downtime (Authentication).

Blast-radius control

  • Project chain scoping — a compromised key for an ["eth"]-scoped project cannot touch your Bitcoin traffic (how to).
  • Projects as bulkheads — usage, quotas and keys are per project; split products or teams into projects rather than sharing one.

Account security

  • Enable TOTP 2FA or add a passkey in the dashboard (Settings → Security). Recovery codes are shown once — store them offline.
  • Review active sessions (GET /api/v1/auth/sessions) and revoke any you don't recognize; "log out everywhere" is POST /api/v1/auth/logout-all.
  • The audit log (Settings → Audit) records logins, key operations and project changes with timestamps and IPs.

What we do on our side

  • Keys are stored hashed; the plaintext exists only in the create response.
  • TLS everywhere (Let's Encrypt, auto-renewed); plaintext HTTP is redirected (308).
  • RPC nodes are never exposed directly — every request passes the authenticated gateway and the metering proxy.
  • debug_* is disabled at the gateway on EVM chains; expensive scan methods are guarded (Rate limits).

Signup & account protection

Account creation is rate-limited per source IP and screens out malformed and disposable-mail addresses. Depending on deployment configuration, signup may require a CAPTCHA, and creating your first API key may require confirming your email address first — follow the link we send on registration. These exist to keep the free tier usable for real users; they don't affect your API traffic once your key is issued.

Sending transactions

The platform never holds your private keys. Sign locally (ethers, bitcoinjs, xrpl.js, …) and submit the raw bytes via the chain's broadcast method. Treat any service that asks for a private key — including anything claiming to be us — as hostile.