docs/00-meta/UNBLOCK_MAINNET_RPC_403.md

# Unblock Mainnet RPC 403 (Private Key Restriction)

**Issue:** `ETHEREUM_MAINNET_RPC` returns **403** with body: *"private key only is enabled in Project ID settings"*. Forge/cast cannot send transactions with your deployer key.

**Cause:** Some RPC providers (e.g. Infura, Alchemy) can restrict a project so that **only their SDK/wallet can use the API key**; raw `eth_sendTransaction` or private-key signing from scripts is rejected.

---

## One-step fix

Set `ETHEREUM_MAINNET_RPC` in `smom-dbis-138/.env` (and root `.env` if used) to a Mainnet URL that **allows raw private key** (or `eth_sendTransaction` from your IP). Then re-run the deploy.

### Option A — Same provider, disable restriction

- **Infura:** Dashboard → Project → Settings → ensure **"Restrict to SDK / wallet only"** (or similar) is **off** for the project used in the URL.
- **Alchemy:** Dashboard → App → Settings → check **API key restrictions**; allow the methods your scripts need (e.g. full access or no "private key only" restriction).

Then keep using the same URL, e.g.  
`ETHEREUM_MAINNET_RPC=https://mainnet.infura.io/v3/YOUR_PROJECT_ID`

### Option B — Use a different RPC (no key restriction)

Examples (no API key or key without private-key restriction):

- `ETHEREUM_MAINNET_RPC=https://eth.llamarpc.com`
- `ETHEREUM_MAINNET_RPC=https://rpc.ankr.com/eth`
- `ETHEREUM_MAINNET_RPC=https://ethereum.publicnode.com` **(in use:** set in smom-dbis-138/.env and used for Trustless Mainnet deploy)
- Or any other public/mainnet RPC that accepts `eth_sendTransaction` or signing with your key.

**Security:** Prefer a project-specific URL (Option A) over a shared public RPC when possible.

---

## After unblocking

1. **Trustless Mainnet deploy:**  
   `cd smom-dbis-138 && source .env && forge script script/bridge/trustless/DeployTrustlessBridge.s.sol:DeployTrustlessBridge --rpc-url "$ETHEREUM_MAINNET_RPC" --broadcast --via-ir`

2. **Trustless liquidity (phase6-provide-liquidity.sh):**  
   Ensure `LIQUIDITY_POOL`, `RESERVE_SYSTEM`, `ETHEREUM_MAINNET_RPC`, `LIQUIDITY_AMOUNT`, `RESERVE_AMOUNT` are set, then run the script.

---

**Refs:** [OPTIONAL_DEPLOYMENTS_START_HERE](../07-ccip/OPTIONAL_DEPLOYMENTS_START_HERE.md) §2C | [OPERATOR_READY_CHECKLIST.md](OPERATOR_READY_CHECKLIST.md)
Sync all local changes: docs, config, scripts, submodule refs, verification evidence Co-authored-by: Cursor <cursoragent@cursor.com> 2026-02-21 15:46:06 -08:00			`# Unblock Mainnet RPC 403 (Private Key Restriction)`

			Issue: `ETHEREUM_MAINNET_RPC` returns 403 with body: "private key only is enabled in Project ID settings". Forge/cast cannot send transactions with your deployer key.

			Cause: Some RPC providers (e.g. Infura, Alchemy) can restrict a project so that only their SDK/wallet can use the API key; raw `eth_sendTransaction` or private-key signing from scripts is rejected.

			`---`

			`## One-step fix`

			Set `ETHEREUM_MAINNET_RPC` in `smom-dbis-138/.env` (and root `.env` if used) to a Mainnet URL that allows raw private key (or `eth_sendTransaction` from your IP). Then re-run the deploy.

			`### Option A — Same provider, disable restriction`

			`- Infura: Dashboard → Project → Settings → ensure "Restrict to SDK / wallet only" (or similar) is off for the project used in the URL.`
			`- Alchemy: Dashboard → App → Settings → check API key restrictions; allow the methods your scripts need (e.g. full access or no "private key only" restriction).`

			`Then keep using the same URL, e.g.`
			`ETHEREUM_MAINNET_RPC=https://mainnet.infura.io/v3/YOUR_PROJECT_ID`

			`### Option B — Use a different RPC (no key restriction)`

			`Examples (no API key or key without private-key restriction):`

			- `ETHEREUM_MAINNET_RPC=https://eth.llamarpc.com`
			- `ETHEREUM_MAINNET_RPC=https://rpc.ankr.com/eth`
			- `ETHEREUM_MAINNET_RPC=https://ethereum.publicnode.com` (in use: set in smom-dbis-138/.env and used for Trustless Mainnet deploy)
			- Or any other public/mainnet RPC that accepts `eth_sendTransaction` or signing with your key.

			`Security: Prefer a project-specific URL (Option A) over a shared public RPC when possible.`

			`---`

			`## After unblocking`

			`1. Trustless Mainnet deploy:`
			`cd smom-dbis-138 && source .env && forge script script/bridge/trustless/DeployTrustlessBridge.s.sol:DeployTrustlessBridge --rpc-url "$ETHEREUM_MAINNET_RPC" --broadcast --via-ir`

			`2. Trustless liquidity (phase6-provide-liquidity.sh):`
			Ensure `LIQUIDITY_POOL`, `RESERVE_SYSTEM`, `ETHEREUM_MAINNET_RPC`, `LIQUIDITY_AMOUNT`, `RESERVE_AMOUNT` are set, then run the script.

			`---`

docs(00-meta): refresh task lists, gaps, and operator indexes Made-with: Cursor 2026-03-27 18:47:08 -07:00			`Refs: [OPTIONAL_DEPLOYMENTS_START_HERE](../07-ccip/OPTIONAL_DEPLOYMENTS_START_HERE.md) §2C \| [OPERATOR_READY_CHECKLIST.md](OPERATOR_READY_CHECKLIST.md)`