Carbium Auth Matrix
See which Carbium key, endpoint, and auth format belongs to RPC, gRPC, and Swap API before you wire the wrong credential into production.
Carbium Auth Matrix
If you are wiring Carbium into a new app, the first avoidable mistake is usually simple: the wrong key on the wrong surface.
This page owns one question only:
Which Carbium product uses which endpoint and auth format?
Use it before you debug 401, 403, or silent client mistakes caused by mixing RPC, gRPC, and Swap API patterns.
Part of the Carbium Solana infrastructure stack.
Direct answer
This page covers the main public docs surfaces Carbium publishes today.
| Product surface | Main endpoint | Key to use | Auth format the docs publish | Best fit |
|---|---|---|---|---|
| RPC over HTTP JSON-RPC | https://rpc.carbium.io/?apiKey=YOUR_RPC_KEY | RPC dashboard key | Query parameter apiKey | Standard reads, writes, send, confirm |
| Streaming over WebSocket | wss://grpc.carbium.io/?apiKey=YOUR_RPC_KEY | RPC dashboard key | Query parameter apiKey | JS, TS, and Python stream clients |
| Yellowstone over HTTP/2 | https://grpc.carbium.io | RPC dashboard key | Header x-token: YOUR_RPC_KEY | Rust and HTTP/2 gRPC clients |
| Swap API quote flow | https://api.carbium.io/api/v2/quote | Swap API key | Header X-API-KEY: YOUR_API_KEY | Quotes and executable swap payloads |
The important split is:
- RPC and gRPC share the RPC dashboard key
- Swap API uses a separate API key
Do not reuse the Swap API key on rpc.carbium.io or the RPC dashboard key on api.carbium.io/api/v2/quote.
If you are building a wallet or bot, you will often need both keys at once: an RPC key for reads and submission, and a Swap API key for quotes.
Where each key comes from
| Surface | Where Carbium says to create it | Notes |
|---|---|---|
| RPC + gRPC | https://rpc.carbium.io/signup or the RPC dashboard at https://rpc.carbium.io | One RPC dashboard key covers both standard JSON-RPC and the documented gRPC / stream endpoints |
| Swap API | https://api.carbium.io/login or the API dashboard at https://api.carbium.io | Separate key used in the X-API-KEY header |
This is why "Carbium key" is too vague in implementation notes. You need to know which product surface you are authenticating against.
Copy-paste patterns that match the docs
RPC over HTTP
curl -X POST "https://rpc.carbium.io/?apiKey=$CARBIUM_RPC_KEY" \
-H "Content-Type: application/json" \
-d '{
"jsonrpc":"2.0",
"id":1,
"method":"getHealth",
"params":[]
}'Streaming over WebSocket
import WebSocket from "ws";
const ws = new WebSocket(
`wss://grpc.carbium.io/?apiKey=${process.env.CARBIUM_RPC_KEY}`
);Yellowstone over HTTP/2
use yellowstone_grpc_client::GeyserGrpcClient;
let endpoint = "https://grpc.carbium.io";
let x_token = std::env::var("CARBIUM_RPC_KEY")?;
let mut client = GeyserGrpcClient::connect(endpoint, x_token.as_str(), None)?;Swap API quote request
curl --request GET \
--url 'https://api.carbium.io/api/v2/quote?src_mint=So11111111111111111111111111111111111111112&dst_mint=EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v&amount_in=1000000&slippage_bps=50' \
--header "X-API-KEY: $CARBIUM_API_KEY"Which env vars to keep in your app
Use separate environment variables even if one service talks to multiple Carbium products:
CARBIUM_RPC_KEY=rpc_live_xxx
CARBIUM_API_KEY=api_live_xxxRecommended interpretation:
| Your app does... | Keep |
|---|---|
| RPC reads only | CARBIUM_RPC_KEY |
| RPC reads and transaction submission | CARBIUM_RPC_KEY |
| Quote and swap construction | CARBIUM_API_KEY |
| Wallet backend that quotes and submits | CARBIUM_RPC_KEY and CARBIUM_API_KEY |
| Trading bot with streaming plus swap execution | CARBIUM_RPC_KEY and CARBIUM_API_KEY |
If you only have one secret configured but your architecture uses both quoting and submission, your integration is probably incomplete.
Common auth mistakes
| Mistake | What breaks | Fix |
|---|---|---|
Sending X-API-KEY to api.carbium.io/api/v2/quote with the RPC dashboard key | Quote calls fail because the wrong product key is being used | Use the Swap API key for api.carbium.io |
Trying to call rpc.carbium.io with the Swap API key | RPC reads or sends fail | Use the RPC dashboard key on the RPC endpoint |
| Using the RPC signup flow and assuming it also created a Swap API key | Swap calls fail later | Create the separate key in api.carbium.io |
Using https://grpc.carbium.io without x-token in an HTTP/2 client | Streaming client cannot authenticate | Pass the RPC dashboard key as x-token |
| Shipping either key in browser or mobile client code | Keys leak even if the request works | Proxy through your backend and keep the secrets server-side |
The fastest way to de-risk setup is to test one request per surface before you write the full app flow.
Where this page stops
This page is the auth map, not the full security guide and not the full implementation guide.
Use the adjacent docs when the question changes:
- use API Key Security Best Practices for storage, restrictions, rotation, and exposure response
- use Carbium for Wallet Developers for wallet signing boundaries
- use Carbium for Trading Bots for bot architecture
- use Q1 for the current Swap API quote flow
Start with the right Carbium key for the right surface, then keep the deeper operational rules in the dedicated security page at docs.carbium.io.
Updated 10 days ago