If you are distributing products embedded with API keys and can set up custom User-Agent (e.g. an Electron app, iOS or Android app), then we would recommend adding the known User-Agent to your allowlist. When a User-Agent is added to the allowlist, any API requests originated from other platforms will be rejected.

User-Agent allowlist utilizes partial string matching. If a string that is allowed to list exists in the request's full User-Agent, it is registered as a match.


Allowlist entry:com.example.dapp


curl -X POST \ \
  -H 'User-Agent: com.example.dapp/v1.2.7 (Linux; Android 8.0; SM-G930V Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.125 Mobile Safari/537.36' \
  -H 'Content-Type: application/json' \
  -H 'TRON-PRO-API-KEY: 25f66928-0b70-48cd-9ac6-da6f8247c663' \
  -d '{
    "to_address": "41e9d79cc47518930bc322d9bf7cddd260a0260a8d",
    "owner_address": "41D1E7A6BC354106CB410E65FF8B181C600FF14292",
    "amount": 1000

Result: Request is allowed while all other user-agent requests are rejected.