SolScanner API
Embed API

Authentication

API keys and domain whitelisting.

API key

You get one key per org. It starts with emb_ and is 68 characters long. Keys can be viewed and rotated from the admin dashboard. Rotating a key invalidates the old one immediately.

Pass it as a query param:

/scanner/{MINT}/map?embed=1&key=emb_a1b2c3d4e5f6...

Domain whitelisting

The embed only loads from domains you've registered with us. The server checks the browser's Origin header against your list. If it doesn't match, you get a 403.

Matching rules:

You registerWorks onDoesn't work on
app.example.comapp.example.comexample.com, other.com
example.comexample.com, sub.example.comother.com
localhosthttp://localhost:3000, http://localhost:5173 (any port)Remote origins
localhost:5173http://localhost:5173 onlyOther ports

If you add example.com, all subdomains work too. To add or change domains, contact us.

Local development

For dev environments, register either localhost (matches any port) or the specific localhost:PORT you run your integrator on. Both schemes http:// and https:// are accepted by the iframe's frame-ancestors CSP.

Validate a key

Check if a key is valid without triggering a scan:

GET https://api.solscanner.app/embeds/validate?key={API_KEY}

No auth needed. Returns:

{ "valid": true, "domains": ["app.example.com", "staging.example.com"] }

Or if invalid:

{ "valid": false, "domains": [] }

Use this before mounting the iframe to fail fast when a key is rotated, disabled, or typo'd — the iframe itself cannot report invalid-key state to the host page (cross-origin), so a pre-flight check is the cleanest way to surface it.

Errors

StatusCodeMeaning
403EMBED_KEY_INVALIDBad key or key not found
403EMBED_ORG_DISABLEDOrg disabled by admin
403EMBED_DOMAIN_REJECTEDPage domain not on your whitelist

On this page