The xumm API can be called using an API Key and API Secret, which can be obtained from the xumm Developer Console.
The xumm API is designed to be called from a server to server (backend) environment. Always send requests from your application frontend to your own application_backend, and call the xumm API from your application backend.
The API Key and API Secret are sent to the xumm API using HTTP headers. See: Call the 𝘅𝘂𝗺𝗺 platform (Guide)
Anyone in possession of your
X-API-Secretcan create payloads (sign requests) on behalf of your application. If abused, this can greatly damage the reputation of your application. Please, never implement the xumm API in a scenario where calls are made from the client side. Only call the xumm API from your application backend, keeping your API secret safe on the server side.