Using the RPC Proxy

Pre-General Availability: 2026-02-23

The RPC proxy gateway supports API calls and interactions with the Besu network.

The RPC proxy provides an authenticated and authorized access layer for Ethereum JSON-RPC requests. It also provides specialized features for signing transactions, running queries, and managing wallets.

Authentication

Secured endpoints require a bearer token in the authorization header:

Authorization: Bearer <access_token>

The proxy validates the token in accordance with the deployment configuration (for example, signature validation, expiration, issuer, and audience).

You can use the following command to generate a bearer token by using the access token endpoint that is available in the Blockchain Platform Manager.

curl -sS -X POST \
  "<Access Token Endpoint – fetched from Blockchain Platform Manager>" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password" \
  -d "client_id=<CLIENT_ID>" \
  -d "client_secret=<CLIENT_SECRET>" \
  -d "username=<USERNAME>" \
  -d "password=<PASSWORD>"

The following text shows an example response. You then use the value of access_token as the bearer token for subsequent calls.

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9....",
  "expires_in": 300,
  "token_type": "Bearer"
    ...
}

Authorization

Access is controlled using the following group membership, which is conveyed in the token claims.

• JSON-RPC access requires membership in the following group: BESU_RPC_GW_<instance_id>
• Instance metadata APIs also require membership in the following group: OBP_<BPMID>_CP_ADMIN

Quick Start

Execute your first cURL call and validate your configuration by using the following example which retrieves the OpenAPI specification for the endpoints.

curl -X GET \
  "<RPC_PROXY_BASE_URL>/openapi" \
  -H "Authorization: Bearer <access token>" \
  -H "Accept: application/vnd.oai.openapi"