API Key
After partner approval, Gauntlet provisions an API key for your organization.
GAUNTLET_API_KEY=<YOUR_API_KEY>
Make Authenticated Requests
Pass the API key as a Bearer token in the Authorization header:
curl https://api.gauntlet.xyz/v1/vaults \
-H 'Authorization: Bearer <YOUR_API_KEY>'
const API_BASE_URL = 'https://api.gauntlet.xyz'
const API_KEY = process.env.GAUNTLET_API_KEY!
const resp = await fetch(`${API_BASE_URL}/v1/vaults`, {
headers: { Authorization: `Bearer ${API_KEY}` },
})
// returns:
// { data: [{ name: "gtUSDa", ... }], meta: { ... } }
const sdk = new GauntletSDK({
apiKey: process.env.GAUNTLET_API_KEY,
})
const vaults = await sdk.getVaults()
// returns:
// [{ name: "gtUSDa", ... }]
Rate Limits
API access is rate-limited per partner: 60 requests/minute and 10,000 requests/day.
| Header | Description |
|---|
X-RateLimit-Limit | Maximum requests allowed per window |
X-RateLimit-Remaining | Requests remaining in the current window |
X-RateLimit-Reset | Unix timestamp when the window resets |
429, back off until X-RateLimit-Reset. Cache vault metrics and meta responses to reduce request volume.
Error Codes
| Status | Meaning |
|---|
401 | Missing or invalid API key |
403 | Insufficient scope for this endpoint |
429 | Rate limited — back off and retry after reset |
Security
Never expose your API key in client-side code, public repos, or browser-accessible bundles. Use server-side environments only.
- Store keys in environment variables, add
.env to .gitignore
- Use separate keys for development, staging, and production
- Rotate production keys every 90 days
