Handle JWT Enforcement for 1Click Swap API

[petersalomonsen]

1Click API Announcement

This initiative was triggered by the following announcement from 1Click API:

📢 1Click Swap API – JWT Enforcement (Effective from 5th of August 2025)

Starting from tomorrow 5th of August 2025, integrations that do not use a JWT token for authentication will incur a 0.1% fee (10 basis points) on all swaps made via the 1Click Swap API.

To avoid this fee and enable authenticated access, integrators should start using API Key (JWT-Based Authentication) in their requests.

📄 Please refer to documentation:
👉 https://docs.near-intents.org/near-intents/integration/distribution-channels/1click-api
To apply for a API Key, please fill out the following form:
👉 https://docs.google.com/forms/d/e/1FAIpQLSdrSrqSkKOMb_a8XhwF0f7N5xZ0Y5CYgyzxiAuoC2g4a2N68g/viewform

❓ Please, do not hesitate to contact us if you require support.

Implementation Solution

Backend Endpoint Requirements

To securely integrate with 1Click API while protecting the API key, we need to create a custom backend endpoint with the following specifications:

Endpoint: POST /api/treasury/oneclick-quote

Security Restrictions:

1. Address Validation: Only accept requests from sputnik-dao.near addresses

   • Validate treasuryDaoID ends with .sputnik-dao.near
   • Automatically set refundTo and recipient to the treasury DAO address
   • Reject any attempts to use non-sputnik addresses

2. API Key Protection:

   • Store the 1Click API key in backend environment variables
   • Never expose the key to the frontend
   • All actual quotes (non-dry) must go through this endpoint

Frontend Implementation

Two-Path Architecture:

1. Dry Quotes (Preview):

   • Used for showing quote previews as users fill the form
   • Sent directly to 1Click API with dry: true flag
   • No API key required for dry quotes
   • Auto-fetched when form fields change (with debouncing)

2. Actual Quotes (Proposal Creation):

   • Used when user clicks "Create Proposal"
   • Routed through our backend endpoint
   • Backend validates sputnik-dao address
   • Backend adds API key and forwards to 1Click API
   • Returns proposal payload ready for submission

Benefits of This Approach:

• ✅ API key remains secure on backend
• ✅ Only authorized treasury DAOs can create proposals
• ✅ Prevents potential abuse of the API
• ✅ Maintains good UX with instant quote previews
• ✅ No unnecessary API credit consumption (dry quotes for preview)
• ✅ Avoids the 0.1% fee by using authenticated requests for actual swaps

Implementation PRs:

• Backend: feat: Add treasury 1Click API endpoint with security validation ref-sdk-api#20
• Frontend: feat: Implement auto-fetch quotes and backend integration for 1Click API #666

Deployment Steps:

1. Deploy backend with ONECLICK_API_KEY environment variable
2. Update frontend to use the new backend endpoint
3. Test with a sputnik-dao.near account
4. Verify non-sputnik addresses are rejected

[petersalomonsen]

I have sent the application form.