Authentication
API keys and domain whitelisting.
API key
You get one key per org. It starts with emb_ and is 68 characters long. Keys can be viewed and rotated from the admin dashboard. Rotating a key invalidates the old one immediately.
Pass it as a query param:
/scanner/{MINT}/map?embed=1&key=emb_a1b2c3d4e5f6...Domain whitelisting
The embed only loads from domains you've registered with us. The server checks the browser's Origin header against your list. If it doesn't match, you get a 403.
Matching rules:
| You register | Works on | Doesn't work on |
|---|---|---|
app.example.com | app.example.com | example.com, other.com |
example.com | example.com, sub.example.com | other.com |
localhost | http://localhost:3000, http://localhost:5173 (any port) | Remote origins |
localhost:5173 | http://localhost:5173 only | Other ports |
If you add example.com, all subdomains work too. To add or change domains, contact us.
Local development
For dev environments, register either localhost (matches any port) or the specific localhost:PORT you run your integrator on. Both schemes http:// and https:// are accepted by the iframe's frame-ancestors CSP.
Validate a key
Check if a key is valid without triggering a scan:
GET https://api.solscanner.app/embeds/validate?key={API_KEY}No auth needed. Returns:
{ "valid": true, "domains": ["app.example.com", "staging.example.com"] }Or if invalid:
{ "valid": false, "domains": [] }Use this before mounting the iframe to fail fast when a key is rotated, disabled, or typo'd — the iframe itself cannot report invalid-key state to the host page (cross-origin), so a pre-flight check is the cleanest way to surface it.
Errors
| Status | Code | Meaning |
|---|---|---|
| 403 | EMBED_KEY_INVALID | Bad key or key not found |
| 403 | EMBED_ORG_DISABLED | Org disabled by admin |
| 403 | EMBED_DOMAIN_REJECTED | Page domain not on your whitelist |