Skip to main content
The Pipeline API has three distinct credential types. Picking the right one matters - a regular GoldRush API key cannot create or manage pipelines, and a ServiceKey cannot call the Foundational, Streaming, CLI, or x402 APIs.

Credential types at a glance

API keys and ServiceKeys are not interchangeable. Sending a regular API key to a Pipeline REST endpoint returns 403 Forbidden. Sending a ServiceKey to a Foundational or Streaming endpoint also returns 403.

1. Platform login

You authenticate as a user with email/password (or SSO) to access the GoldRush Platform. The Platform is where you:
  • Configure pipelines through the UI.
  • Manage billing and your subscription.
  • Create and rotate API keys.
  • Create and rotate ServiceKeys.

Vibe Coders

$10/mo - Built for solo builders and AI-native workflows.

Teams

$250/mo - Production-grade with 50 RPS and priority support.

2. API keys (read-only)

A regular GoldRush API key is a read-only programmatic credential. It works against:
  • Foundational API - REST queries for balances, transactions, NFTs, etc.
  • Streaming API - GraphQL/WebSocket subscriptions and queries.
  • CLI - all goldrush commands.
  • x402 - pay-per-request proxy.
It does not work for the Pipeline REST API, and it does not authenticate platform login.

3. ServiceKeys (Pipeline CRUD)

A ServiceKey is a programmatic credential scoped specifically to pipeline management. Use it to:
  • List, create, update, pause, resume, and delete pipelines via the REST API.
  • Poll status, logs, metrics, and destination health.
  • Drive pipeline configuration from CI/CD, infrastructure-as-code, or scripts.
ServiceKeys are issued from the GoldRush Platform and can be rotated or revoked at any time. See Service Keys for details.

Destination credentials

Destination credentials (database passwords, webhook tokens, S3 access keys) are part of your pipeline configuration, not an authentication mechanism for GoldRush itself. You provide them when creating or updating a pipeline:
Destination credentials are stored encrypted, injected at deploy time via environment variable interpolation, and masked as ****** when read back through the REST API. They are never exposed in logs or the UI after being set.
Because secrets read back as ******, never echo them back in a write. Use PATCH to rotate a secret by sending the new value in destination_config.

Error handling

For a complete guide to error codes, retry strategies, and debugging tips, see Error Handling & Troubleshooting.

FAQ

  • Can I use the same key for all GoldRush products?
    • No. API keys cover the read-only products (Foundational, Streaming, CLI, x402). ServiceKeys cover the Pipeline REST API. Platform login is separate.
  • Where do I create a ServiceKey?
  • How are destination credentials stored?
    • Encrypted at rest, injected at deploy time, masked as ****** on read. They are never exposed in logs or the UI after being set.
  • Do I need to allowlist GoldRush IP addresses?
    • If your destination is behind a firewall, yes. Contact support for the current egress IP list.