Standards

Token URI

Token URI is the metadata pointer for an NFT, usually returned by ERC721 tokenURI or ERC1155 uri.

Token URI tells wallets and marketplaces where to find an NFT's metadata.

Token URI Explained in Detail

Token URI points to NFT metadata. In ERC721, this is usually tokenURI(tokenId). In ERC1155, uri(id) can include an ID substitution pattern.

Metadata affects marketplace display, rarity, provenance, and user expectations.

Smart contract example

function tokenURI(uint256 tokenId) public view returns (string memory);

Many implementations revert if the token ID does not exist.

Token URI in Auditing

Metadata bugs can change what users believe they bought. If metadata can be changed by the wrong party, a collection's value and integrity can be affected.

Auditors review who can update metadata, when it can change, and how nonexistent or burned tokens behave.

Red flags in code

  • Anyone can change base URI or per-token URI.

  • Metadata can change after sale without clear controls.

  • tokenURI works for nonexistent token IDs.

  • ERC1155 {id} substitution is malformed.

  • Centralized metadata updates are not controlled by a trusted admin path.

How to test or review it

  • Query existing, nonexistent, and burned token IDs.

  • Test metadata updates as admin and non-admin callers.

  • Check URI formatting for ERC721 and ERC1155.

  • Review freeze, reveal, and base URI transition logic.

  • Confirm metadata events or operational procedures match user expectations.

Sources