Skip to main content
Deframe API uses API keys to authenticate requests. All endpoints require authentication via API key in the x-api-key header. Your API keys carry many privileges, so be sure to keep them secure!

Getting an API Key

1

Sign up for Deframe

Create an account at deframe.io
2

Navigate to API Keys

Go to the API Keys section in your dashboard
3

Generate New Key

Click “Generate API Key” and give it a descriptive name
4

Copy and Store

Copy your API key immediately - you won’t be able to see it again!
Keep your API keys secure! Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, etc.

Using Your API Key

Include your API key in the x-api-key header with every request: 
import axios from 'axios'

const deframe = axios.create({
  baseURL: 'https://api.deframe.io',
  headers: {
    'x-api-key': process.env.DEFRAME_API_KEY
  }
})

// Make authenticated request
const response = await deframe.get('/strategies')
Store your API key in a secure server-side environment variable (e.g. DEFRAME_API_KEY). Do not expose it in frontend code or commit it to git.

API Key Authentication

Recommended for all integrations Use the x-api-key header for all API requests: 
headers: {
  'x-api-key': 'your-api-key'
}
Best for:
  • Backend services
  • Server-to-server communication
  • Automated scripts and bots
  • CI/CD pipelines
  • All application types
API keys are tied to your customer account and can be rotated or revoked at any time from your dashboard.

Rate Limits

API keys are subject to rate limits to ensure fair usage:

Rate Limits

  • 100 requests per minute per API key
  • 1,000 requests per hour per API key
  • Rate limit headers included in every response

Rate Limit Headers

Every API response includes headers showing your current rate limit status: 
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1640000000

Handling Rate Limits

When you exceed the rate limit, you’ll receive a 429 Too Many Requests response: 
{
  "error": {
    "code": "RATE_LIMIT_EXCEEDED",
    "message": "Rate limit exceeded. Please wait before making more requests.",
    "httpStatus": 429,
    "details": {
      "retryAfter": 60
    }
  }
}

import axios from 'axios'

const deframe = axios.create({
  baseURL: 'https://api.deframe.io',
  headers: { 'x-api-key': process.env.DEFRAME_API_KEY }
})

// Add rate limit handling
deframe.interceptors.response.use(
  response => response,
  async error => {
    if (error.response?.status === 429) {
      const retryAfter = error.response.data.error.details.retryAfter
      console.log(`Rate limited. Retrying after ${retryAfter}s...`)

      await new Promise(resolve => setTimeout(resolve, retryAfter * 1000))

      // Retry the request
      return deframe(error.config)
    }
    return Promise.reject(error)
  }
)

Security Best Practices

Never hardcode API keys in your source code.Do:
  • Use environment variables
  • Use secret management services (AWS Secrets Manager, HashiCorp Vault)
  • Use encrypted configuration files
Don’t:
  • Commit keys to version control
  • Include keys in client-side code
  • Share keys via email or messaging apps
Rotate your API keys periodically to minimize security risks.Recommended rotation schedule:
  • Production keys: Every 90 days
  • Development keys: Every 180 days
  • Immediately if compromised
How to rotate:
  1. Generate a new API key in your dashboard
  2. Update your application with the new key
  3. Test that the new key works
  4. Delete the old key
Create separate API keys for each environment to isolate security risks.
Development → dev_key_xxx
Staging     → stg_key_xxx
Production  → prod_key_xxx
This way, if a development key is compromised, your production environment remains secure.
Regularly check your API key usage in the dashboard:
  • Track request volume
  • Monitor for unusual patterns
  • Review error rates
  • Check which endpoints are being accessed
Set up alerts for:
  • Unusually high request volume
  • Requests from unexpected IP addresses
  • High error rates
For additional security, implement request signing to verify request authenticity.
import crypto from 'crypto'

function signRequest(method, path, body, timestamp, secret) {
  const message = `${method}${path}${timestamp}${JSON.stringify(body)}`
  return crypto.createHmac('sha256', secret).update(message).digest('hex')
}

const timestamp = Date.now()
const signature = signRequest('GET', '/strategies', null, timestamp, apiSecret)

headers: {
  'x-api-key': apiKey,
  'x-timestamp': timestamp,
  'x-signature': signature
}

Troubleshooting

Problem: Your request returns a 401 Unauthorized error.Solutions:
  • Verify your API key is correct
  • Check that the x-api-key header is included
  • Ensure no extra spaces or characters in the key
  • Verify the key hasn’t been deleted or revoked
// ✅ Correct
headers: { 'x-api-key': 'your-api-key' }

// ❌ Wrong - don't use "Bearer" prefix
headers: { 'x-api-key': 'Bearer your-api-key' }

// ❌ Wrong - incorrect header name
headers: { 'Authorization': 'your-api-key' }
Problem: Your request returns a 403 Forbidden error.Possible causes:
  • API key doesn’t have permission for this endpoint
  • Account has been suspended
  • Request from blocked IP address
Solution: Contact support at support@deframe.io
Problem: New API key doesn’t work immediately.Solution: API keys may take up to 30 seconds to propagate. Wait a moment and try again.If the issue persists:
  1. Verify you copied the entire key
  2. Check for hidden characters or spaces
  3. Try generating a new key

Next Steps

Quickstart

Make your first API call

API Reference

Explore available endpoints

Yield Guides

Deposit, withdraw, and monitor positions

Swap Guides

Integrate token swaps into your app