The Spearmint API is most often used in session-less contexts on the frontend, making it difficult to identify and take action on bad traffic from the good ones without false-positives.

In order to improve resistance to malicious behavior and protect your project, we offer some safeguards for your API keys.

Allowed origins

You can specify up to 5 origins from which to allow API key access. This is useful for publishable (client-side) keys so that requests may only originate from your site (e.g., https://example.com), and not others. Note that this is not bulletproof, as origin can be spoofed in some environments, but this provides a reasonable measure of defense for the browser.

Allowed IP addresses

You can specify up to 5 IP addresses or subnets from which to allow API key access. This is useful for secret (server-side) keys, where the IP addresses or subnets on which the service is run can be predetermined. Secret keys should never be exposed to the public, but this option offers an extra measure of security.