Authentication

API Keys

The POAP API uses API keys to authenticate requests. You can request API keys using the form here.

Are you wondering if you need API keys? If you plan to use POAP API, you will need to use API keys.

Please follow the chart below to identify if you need API keys:

📘

Request API Keys

You can request API keys and auth tokens by filling out this form.

Your API keys carry many privileges, so please keep them secure! Do not share your secret API keys in publicly accessible platforms. If your API key is compromised, we can provide a replacement.

Authentication to the API is performed via HTTP basic authentication. Use the API key provided to you as the basic auth username value. You do not need to provide a password.

All requests should include a header.

Requests should contain the header X-API-Key={apikey} where {apikey} is your unique API key attached below: _secretlink password: {pass}_.

For example, a header with the API key would look like this:

curl -vvv -H "X-API-Key: myapikey" [<https://api.poap.tech/paginated-events?limit=100&offset=0&sort_dir=asc&sort_field=name>](https://api.poap.tech/paginated-events?limit=100&offset=0&sort_dir=asc&sort_field=name)

Auth Tokens

Depending on your use case, you may or may not use a variety of our endpoints. Some of these endpoints are protected. If your use case requires you to have access to these endpoints, you need to use Auth tokens to access them.

Do I need auth tokens?

Please follow the chart below to identify if you need to request auth tokens:

To identify if the endpoint you are looking to use is a protected endpoint, please see the image below that shows - "token" under Authentication as required to access that specific endpoint.

📘

Auth Tokens

You can request both API keys and auth tokens by filling out this form

Getting the access token


We use Auth0 to validate access to POAP API-protected endpoints. Use the credentials provided to you to request a bearer token from Auth0. This bearer token is dynamic and changes at some frequency set by Auth0. i.e. Client_id, Client_secret and audience
curl --location --request POST \
     --url 'https://poapauth.auth0.com/oauth/token' \
     --header "Content-Type: application/json" \
     -d '{"audience": "", "grant_type": "client_credentials", "client_id": "", "client_secret": ""}'

Once you have the Auth0 access token, use that to access the POAP API-protected endpoints

curl --location --request GET --url 'https://api.poap.tech/actions/claim-qr?qr_hash=1kozmm' --header "Authorization: Bearer $authtoken"

POST https://{auth0Domain}/oauth/token
Get access token
This endpoint gets the access token to send a request to the POAP API.

Sending requests to the POAP API

Once you have your access token, you will be able to use the Protected API endpoints by sending requests to our third-party integrations URL with the following headers to authenticate your request:

GET /actions/claim-qr HTTP/1.1
Authorization: Bearer {accesstoken}
accept: application/json
Host: api.poap.tech

Protected API endpoints

Get info and status on QR hash
This endpoint is useful for validating the QR hash and getting the Secret to mint a POAP.

Use a valid QR and Secret to mint a POAP to a specific address

Endpoint to validate an event edit code

Endpoint to create a new request for additional mint links for specific distribution methods


Did this page help you?