Native token balances now live Get started

Article: Security Best Practices for your NFT API Integration

Published on: 12/20/2023

Security Best Practices for your NFT API Integration

At SimpleHash, we provide a RESTful API that enables developers to access a wide array of NFT data, including metadata, transactions, and market data, across more than 50 blockchains. This brief article is dedicated to guiding web3 developers through essential security practices specifically tailored for using a REST-based API like SimpleHash to retrieve NFT data.

API Key Management

Effective management of API keys is the cornerstone of secure API integration:

  • Store Keys Securely: Do not hardcode API keys in your application. Utilize environment variables or dedicated secret management systems.
  • Don't Expose Keys: Avoid including API keys in front-end client-facing applications where they could be inspected or retrieved
  • Limit Key Access: Restrict the internal distribution of your API keys to necessary team members only, and consider using a password manager or equivalent system

Secure API Requests

Ensuring the security of API requests is paramount:

  • Enforce HTTPS: Always utilize HTTPS for your API requests to encrypt the data and prevent interception.
  • Handle Errors Carefully: Implement comprehensive error handling to prevent sensitive information leaks through error messages.

Leverage SimpleHash's Spam Scores to Mitigate Risks

An essential aspect of integrating NFT data involves filtering out unwanted content, including spammy or scammy tokens that might contain harmful or deceptive content (such as phishing links). SimpleHash provides a crucial feature in this regard: spam scores. This feature is designed to help developers identify and filter out potentially risky tokens. Here's how you can effectively use spam scores in your integration:

  • Understanding Spam Scores: SimpleHash's API includes a spam score metric for collections. This score is calculated based on various factors, such as the collection's transaction history, market activity, and an assessment by a finetuned LLM
  • Integrate Spam Score Checks: Incorporate spam score checks into your application's workflow. When fetching NFT data, use the spam score as a filter to assess the credibility of a token. Set a threshold score that aligns with your application's risk tolerance (we usually recommend 80 or higher as the initial threshold to use as spam)
  • Dynamic Thresholds: Depending on your application's nature and audience, you might want to adjust the threshold for different use cases. For instance, a marketplace might have a lower tolerance for risk compared to an analytics platform.
  • Automate Content Filtering: Automate the process of filtering out tokens with high spam scores. This can significantly reduce the manual effort required to curate content and enhance user safety.
  • User-Controlled Settings: Consider offering your users the ability to set their own spam score thresholds. This empowers them to customize their experience based on their risk appetite.
  • Educate Users: While the spam score feature is a powerful tool, it's also important to educate your users about the risks associated with NFTs. Provide them with information on how to identify potential scams and the importance of cross-verifying NFTs before any transaction.

By integrating SimpleHash’s spam scores into your application, you can significantly enhance the security and reliability of your NFT data. This proactive approach not only safeguards your platform from malicious content but also builds trust among your user base, and drives user engagement.

Usage Monitoring

Being mindful of your API usage is crucial to check for any abnormal request patterns.

  • Monitor API Usage: Regularly check your API usage patterns for any irregularities that might suggest a security issue - you can always check your usage at the SimpleHash developer portal

Other Recommendations for REST API Security

When working with REST-based APIs like SimpleHash, additional security measures can be helpful:

  • API Gateway Use: Consider using an API gateway as an additional security layer. Gateways can provide functionalities like rate limiting, IP whitelisting, and logging, adding an extra layer of security.
  • Logging and Monitoring: Implement detailed logging of API transactions and monitor these logs for unusual activities. This can be vital in helping monitor application performance
  • CORS Configuration: Properly configure Cross-Origin Resource Sharing (CORS) policies to control which domains can access your API, reducing the risk of data leaks through client-side scripts.

Interested in NFT or API security and safety more broadly? We'd love to hear from you - feel free to reach out at

Getting token & NFT data is hard.

SimpleHash makes it easy.

Trusted by hundreds of web3 leaders:

Coinbase logo
Floor logo
Ledger logo
Brave logo
Rarible logo
Rainbow logo
Phantom logo
Manifold logo
Venly logo
Exodus logo
Zerion logo
Nansen logo
Dappradar logo
Dust Labs logo
Unstoppable Domains logo
Mask logo
Crossmint logo
Tiplink logo