Skip to main content

Current Status

Lasso RPC currently operates without authentication in the open-source version. All endpoints are publicly accessible when you deploy your own Lasso instance.
If you deploy Lasso publicly, ensure proper network-level security (firewall rules, VPC isolation, reverse proxy authentication) to restrict access.

Securing Your Deployment

Since Lasso doesn’t have built-in authentication, use these strategies to secure your deployment:

Reverse Proxy Authentication

Deploy Lasso behind a reverse proxy (nginx, Caddy, Traefik) with authentication: 
location /rpc/ {
    auth_basic "Lasso RPC";
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass http://localhost:4000;
}

API Gateway

Use an API gateway (Kong, Tyk, AWS API Gateway) to add:
  • API key validation
  • Rate limiting per key
  • Usage tracking
  • Multiple authentication methods

Network-Level Security

  • Firewall rules: Restrict access by IP address
  • VPC isolation: Deploy in private subnet, expose via load balancer
  • VPN: Require VPN access to reach Lasso endpoints
  • mTLS: Client certificate authentication at load balancer

Example: Nginx with API Key

location /rpc/ {
    # Validate API key from header
    if ($http_x_api_key != "your-secret-key") {
        return 401;
    }
    proxy_pass http://localhost:4000;
}

Provider Authentication

Lasso authenticates with upstream RPC providers using API keys configured in your profile YAML: 
providers:
  - id: "alchemy_eth"
    url: "https://eth-mainnet.g.alchemy.com/v2/${ALCHEMY_API_KEY}"
Set provider API keys as environment variables: 
export ALCHEMY_API_KEY=your_alchemy_key
export INFURA_API_KEY=your_infura_key
See Environment Variables for all available provider API keys.

Future: Built-in Authentication

API key authentication and multi-tenant access control are planned features. See the roadmap for details. Planned features:
  • Per-tenant API keys
  • Rate limiting per key
  • Usage attribution and billing
  • Provider access controls per tenant
  • OAuth 2.0 / JWT support

Best Practices

Internal Deployment

Deploy in private network, access via VPN or bastion host

Public Deployment

Use reverse proxy with authentication and rate limiting

Development

Bind to localhost only: http: [ip: {127, 0, 0, 1}]

Production

Layer multiple security controls (network + proxy + monitoring)

See Also