# Lock it down

> Source: https://docs.erpc.cloud/use-cases/lock-it-down
> Keys, JWTs, sign-in with Ethereum, per-user rate limits — your RPC endpoint stops being a free-for-all.
> Format: machine-readable markdown export of the docs page above.
> All collapsible AI sections are inlined and fully expanded.

# Lock it down

An open RPC endpoint gets discovered fast — and someone else's bot ends up spending your
provider budget. eRPC puts real access control in front: API keys for your services, JWTs
or Sign-in-with-Ethereum for your users, network allowlists for your infra, and per-user
rate budgets so no single consumer can starve the rest. Browsers can talk to it directly,
under CORS rules you control.

- **[Authentication](/config/auth.llms.txt)** — Secrets, JWT, Sign-in-with-Ethereum, and IP allowlists.
- **[Rate limiters](/config/rate-limiters.llms.txt)** — Budgets that protect providers, projects, and fairness between users.
- **[CORS](/config/projects/cors.llms.txt)** — Serve browsers directly on your own origin rules.
- **[Admin API](/operation/admin.llms.txt)** — Operational controls behind their own separate auth.

All of the above in one place — illustrative, not a tuned production config:

**Config path:** `(root)`

**YAML — `erpc.yaml`:**

```yaml
rateLimiters:
  # a reusable budget: fairness between consumers
  budgets:
    - id: per-user
      rules:
        - method: "*"
          maxCount: 200
          period: 1s
projects:
  - id: main
    # serve browsers directly, on your own origin rules
    cors:
      allowedOrigins: ["https://app.example.com"]
      allowCredentials: false
    auth:
      strategies:
        # API keys for your services, throttled by the budget above
        - type: secret
          rateLimitBudget: per-user
          secret:
            value: \${MY_API_KEY}
        # infra allowlist: no key needed inside your network
        - type: network
          network:
            allowedCIDRs: ["10.0.0.0/8"]
            allowLocalhost: true
# Admin API auth is separate: admin.auth (same strategy types).
```

**TypeScript — `erpc.ts`:**

```typescript
rateLimiters: {
  // a reusable budget: fairness between consumers
  budgets: [{
    id: "per-user",
    rules: [{ method: "*", maxCount: 200, period: "1s" }],
  }],
},
projects: [{
  id: "main",
  // serve browsers directly, on your own origin rules
  cors: {
    allowedOrigins: ["https://app.example.com"],
    allowCredentials: false,
  },
  auth: {
    strategies: [
      // API keys for your services, throttled by the budget above
      {
        type: "secret",
        rateLimitBudget: "per-user",
        secret: { value: process.env.MY_API_KEY },
      },
      // infra allowlist: no key needed inside your network
      {
        type: "network",
        network: { allowedCIDRs: ["10.0.0.0/8"], allowLocalhost: true },
      },
    ],
  },
}]
```

## Agent reference

Copy one of these prompts into your AI agent session (Claude Code, Cursor, …) — each one
points the agent at this page's machine-readable reference so it can do the work correctly:

**Prompt Example #1: add API-key auth and per-user rate limits**

```text
My eRPC endpoint is wide open and I need to lock it down with API keys and per-user
rate budgets so no single consumer can exhaust my provider quota. Update my eRPC config
with authentication strategies and fair-use limits. Read the full reference first:
https://docs.erpc.cloud/use-cases/lock-it-down.llms.txt
```

**Prompt Example #2: enable CORS for browser clients and configure JWT auth**

```text
I want my frontend app to call eRPC directly from the browser using JWT tokens
issued by my auth service. Configure CORS and JWT strategy in my eRPC config so only
my domain can make requests and tokens are validated properly. Reference:
https://docs.erpc.cloud/use-cases/lock-it-down.llms.txt
```

**Prompt Example #3: audit auth and rate-limit config for gaps**

```text
Review the auth and rate-limiter setup in my eRPC config for security gaps —
missing IP allowlist coverage, missing method-level rate rules, or strategies without
budgets. Suggest hardening steps. Reference:
https://docs.erpc.cloud/use-cases/lock-it-down.llms.txt
```

---

### Lock it down — agent starting points

This page sells the outcome; implementation lives in the feature pages. Fetch their
machine-readable companions:

- [Authentication](/config/auth.llms.txt) — every strategy (secret, jwt, siwe, network, database) with full per-strategy config.
- [Rate limiters](/config/rate-limiters.llms.txt) — budgets, per-method rules, auto-tuner behavior and footguns.
- [CORS](/config/projects/cors.llms.txt) — matching semantics and preflight behavior.
- [Admin API](/operation/admin.llms.txt) — admin-scoped auth and every endpoint.

Composition notes: auth strategies attach per project (and separately for admin); each
strategy can carry its own `rateLimitBudget`, so per-user fairness is an auth-level concern
while provider protection is an upstream-level budget. Exact fields and defaults live in
each page's agent section.

---


## Navigation (machine-readable surface)

- Up: [All pages index](https://docs.erpc.cloud/llms.txt)
- Root index of every page: [llms.txt](https://docs.erpc.cloud/llms.txt) · everything in one file: [llms-full.txt](https://docs.erpc.cloud/llms-full.txt)

### Sibling pages

- [Cut RPC cost & latency](https://docs.erpc.cloud/use-cases/cut-costs-and-latency.llms.txt) — Serve repeated questions from cache, deduplicate identical requests, and stop paying providers for the same answer twice.
- [How eRPC works](https://docs.erpc.cloud/use-cases/how-it-works.llms.txt) — Every JSON-RPC call travels a battle-tested pipeline — auth, smart caching, parallel hedging, multi-upstream consensus — and arrives with full diagnostic headers. Zero glue code required.
- [Scale chains & providers](https://docs.erpc.cloud/use-cases/scale-chains-and-providers.llms.txt) — One config line per provider, every chain they support — and the best upstream wins each request.
- [See everything](https://docs.erpc.cloud/use-cases/see-everything.llms.txt) — Per-request metrics, traces, and honest healthchecks — know about problems before your users do.
- [Survive provider outages](https://docs.erpc.cloud/use-cases/survive-provider-outages.llms.txt) — Keep serving traffic when an RPC provider slows down, rate-limits you, or disappears entirely.
- [Trust the data](https://docs.erpc.cloud/use-cases/trust-the-data.llms.txt) — Don't let one misbehaving node feed your app a wrong answer — verify, cross-check, and enforce integrity automatically.