Getting Started
Authentication
API keys and private keys for signing transactions
The CLI needs two kinds of credentials:
- An API key for every command (read-only or otherwise).
- One or more private keys when running
execute, which signs and submits transactions on your behalf.
API Key
To obtain an API key, get in touch with the Superbridge team.
The CLI looks for your key in this order:
--api-key <key>flagSUPERBRIDGE_API_KEYenvironment variable
export SUPERBRIDGE_API_KEY=sb_live_...
superbridge healthPrivate Keys
The execute command signs transactions for one or more virtual machines depending on the route. The CLI supports keys for EVM chains, SVM (Solana) chains, and Starknet.
For each VM, keys are loaded with this precedence:
--<vm>-private-key <value>flag — convenient but leaks into shell history, so the CLI prints a warning when you use it.--<vm>-private-key-file <path>flag — reads the key from a file.<VM>_PRIVATE_KEYenvironment variable.
EVM
export EVM_PRIVATE_KEY=0xabc...A 32-byte hex string with or without the 0x prefix.
SVM (Solana)
export SVM_PRIVATE_KEY=...Three formats are accepted:
- Base58 (the format Phantom exports).
- Hex (with or without
0x). - JSON byte array (the format
solana-keygenwrites — useful with--svm-private-key-file ~/.config/solana/id.json).
Starknet
export STARK_PRIVATE_KEY=0x...
export STARK_ACCOUNT_ADDRESS=0x...Starknet additionally requires the account contract address, which is distinct from the public key derivation. Pass it via --stark-account-address or STARK_ACCOUNT_ADDRESS.
Best Practices
- Prefer env vars or files — never pass keys inline in shared shells or CI logs.
- Keep API keys server-side — don't bake them into client-side scripts that ship to users.
- Use a fresh key for automation — rotate via the Superbridge team if anything is exposed.
- Scope your shell session —
exportkeys in a subshell or use a tool likedirenvso they don't linger in your environment.