# Protocol API

> Query on-chain M0 protocol data — token supplies, holder balances, yields, and configuration — via GraphQL.

The Protocol API is a GraphQL API for querying on-chain data: token supplies, holder balances,
rewards accrual, earner status, and protocol configuration parameters.

## Endpoint

```text
https://protocol-api.m0.org/graphql
```

An [interactive GraphQL playground](https://protocol-api.m0.org/graphql) is available at the same
URL for exploring the schema and testing queries.

## Authentication

The M0 Protocol API requires authentication via API keys to access its endpoint. This ensures that
only authorized users can interact with the API and access its data.

[Contact us](https://www.m0.org/contact-us) to obtain an API key.

### Using API Keys

To authenticate your requests, include the API key in the `Authorization` header of your HTTP
requests. For example post with curl:

```sh
curl -i \
  --request POST \
  --header "Content-Type: application/json" \
  --header "Authorization: ApiKey <YOUR_API_KEY>" \
  --data '{"query":"{ __typename }"}' \
  https://protocol-api.m0.org/graphql
```

API keys should be kept secret and not exposed in public repositories or client-side code. If you
believe your API key has been compromised, please contact us immediately to revoke the key and
issue a new one.

### Storing API Keys Securely

To protect your API key and prevent unauthorized access, follow these best practices:

#### Restrict Access by Origin and IP

Configure your API key to limit where it can be used from:

- **IP Allowlisting**: Restrict the API key to specific IP addresses or CIDR ranges that correspond to your backend servers
- **Origin Restrictions**: If applicable, limit the domains or origins that can make requests using your API key

Contact us to configure these restrictions for your API key. This adds an additional layer of security, ensuring that even if your key is compromised, it cannot be used from unauthorized locations.

#### Use a Backend Service

Consider implementing a backend service that:

- Stores the API key securely in environment variables or a secrets manager
- Acts as a proxy between your frontend and the M0 Protocol API
- Handles authentication on behalf of your users

This approach ensures that your API key is never transmitted to or accessible from the client.

## Query Recipes

Common GraphQL queries are documented as ready-to-use recipes:

- [Network Supply](/api-reference/protocol/recipes/network-supply)
- [Token Overview](/api-reference/protocol/recipes/token-overview)
- [Token Holders](/api-reference/protocol/recipes/token-holders)
- [Daily Yields](/api-reference/protocol/recipes/daily-yields)
- [Collateral Composition](/api-reference/protocol/recipes/collateral-composition)
- [Earner Rate History](/api-reference/protocol/recipes/earner-rate-history)
- [Minter Daily Expenses](/api-reference/protocol/recipes/minter-daily-expenses)
- [Protocol Configuration](/api-reference/protocol/recipes/protocol-config)