API Keys

The POAP API uses API keys to authenticate requests. You can request API keys using this form.

If you plan to use POAP API, you will need to use API keys. Please follow the chart below to identify if you need API keys:


Request API Keys

You can request API keys and auth tokens by filling out this form.


Your API keys carry many privileges, so please keep them secure! Do not share your secret API keys in publicly accessible platforms. If your API key is compromised, we can provide a replacement.


Authentication to the API is performed via HTTP basic authentication. Use the API key provided to you as the basic auth username value. You do not need to provide a password.

All requests should contain the header X-API-Key={apikey} where {apikey} is your unique API key.

For example, a header with the API key would look like this:

curl -vvv -H "X-API-Key: $apikey"

Auth Tokens

Depending on your use case, you may or may not use a variety of our endpoints. Some of these endpoints are protected. If your use case requires you to have access to these endpoints, you will need to use auth tokens to access them.

You can identify if an endpoint is protected by looking at the "Authentication" section on the reference page. If it has the "token" input, as shown in the image below, then it is a protected endpoint and requires auth tokens.

Please follow the chart below to identify if you need to request auth tokens:


Request Auth Tokens

You can request both API keys and auth tokens by filling out this form

Generating Access Tokens

After requesting an auth token and receiving your credentials, you can use the following command to generate an access token. You will need to populate audience, client_credentials, and client_secret (auth token) with the values provided via email:

curl --location --request POST \
     --url '' \
     --header "Content-Type: application/json" \
     -d '{"audience": "", "grant_type": "client_credentials", "client_id": "$clientid", "client_secret": "$clientsecret"}'


Windows Users

Windows does not natively support cURL and will not be able to execute the above command. The recommended solutions are:


Once you have the access token, you will be able to use the protected endpoints:

curl --location --request GET \
     --url' \
     --header 'Accept: application/json' \
     --header 'Authorization: Bearer $acccesstoken' \
     --header 'X-API-Key: $apikey'

For HTTP requests, make sure to include the following headers to authenticate your request:

GET /actions/claim-qr HTTP/1.1
Authorization: Bearer {accesstoken}
Accept: application/json

Access Token Expiration

For security purposes the access token expires after 24 hours. This means you will need to generate a new access token every rolling 24 hour period.

Note: Generating more than 4 access tokens per hour will lead to a ban.

Protected Endpoints

  • POST /actions/claim-qr - Claim a POAP given a previously created mint-link.
  • GET /actions/claim-qr - Look up information on an individual mint-link including the claim status, secret code, collector (if claimed), and event information.
  • POST /event/validate - Check if a secret code is valid.
  • POST /event/{id}/qr-codes - Returns the list of qr_hash codes for a particular event, along with the claim status of each code for whether it has been claimed yet.
  • POST /redeem-requests - Request more codes for one of the following redeem methods: QR Code, Secret Website, or Secret Word.
  • GET /secret/{secret_word} - Obtain information about a specific secret word claims and its related event.