> For the complete documentation index, see [llms.txt](/llms.txt).

# API key secret

For enhanced security, you can require an API key secret for all requests to Infura. The API key secret serves as a password accompanying the API key (which serves as a username). This two-factor approach strengthens the authentication process, ensuring that only requests from authorized sources are accepted.

## When to use an API key secret[​](#when-to-use-an-api-key-secret "Direct link to When to use an API key secret")

Use an API key secret if your dapp includes server-side components. Storing and using the API key secret only on the server side prevents exposure to client-side risks, such as malicious actors gaining access through browser inspection tools or network monitoring.

If your dapp operates solely on the client side without a server, use only the API key. The API key is exposed in client-side code, so you should secure it using [allowlists](/developer-tools/dashboard/how-to/secure-an-api/use-an-allowlist/).

tip

For customers on the Developer tier or higher, Infura supports [overriding your allowlist](/developer-tools/dashboard/how-to/secure-an-api/use-an-allowlist/#override-your-allowlist-settings)when you specify an API key secret. This allows you to apply the principle of least privilege on the client side while allowing unrestricted access on the server side.

## Enable the API key secret for requests[​](#enable-the-api-key-secret-for-requests "Direct link to Enable the API key secret for requests")

In the API key's **Settings** tab, select **Require API Key secret for all requests**.

![](/assets/images/settings-tab-a24b3d4da6c0391a1e0f5416e6bb3840.png)

## Call APIs using an API key secret[​](#call-apis-using-an-api-key-secret "Direct link to Call APIs using an API key secret")

- HTTPS
- WebSocket

```
curl --user :<YOUR-API-KEY-SECRET> \
  https://mainnet.infura.io/v3/<YOUR-API-KEY> \
  -d '{"jsonrpc": "2.0", "method": "eth_blockNumber", "params": [], "id": 1}'

```

```
wscat -c wss://mainnet.infura.io/ws/v3/<YOUR-API-KEY> --auth ":<YOUR-API-KEY-SECRET>"
> {"jsonrpc": "2.0", "method": "eth_blockNumber", "params": [], "id": 1}

```