Authentication
All API v1 endpoints require an API key passed via theX-API-Key HTTP header.
Key Format
Keys follow a predictable pattern for easy identification:ps_live_kJ9mNx2pQrStUvWxYz01Ab3CdEfGhI4j
Each key has a visible prefix (first 16 chars) used for identification without exposing the full key:
| Value | |
|---|---|
| Full key | ps_live_kJ9mNx2pQrStUvWxYz01Ab3CdEfGhI4j |
| Prefix | ps_live_kJ9mNx2p |
How It Works
When you send a request:- Your API key is SHA-256 hashed and looked up in the database
- The key’s
is_activeandexpires_atfields are validated - Rate limits are enforced based on your key’s tier
- The associated user account is loaded for trading operations
Permissions
Keys support granular permissions:| Permission | Grants Access To |
|---|---|
read | Market data, prices, balance, positions, order history, key listing |
trade | Place orders, cancel orders, create/revoke API keys |
Security Best Practices
Store keys in environment variables
Store keys in environment variables
Never hardcode API keys in source code. Use environment variables or a secrets manager.
Use key expiration for CI/CD bots
Use key expiration for CI/CD bots
Set
expires_at when creating keys for short-lived deployments. Expired keys
automatically stop working — no manual cleanup needed.Principle of least privilege
Principle of least privilege
Create separate keys for different bots:
- Data-only bot:
["read"]permission - Trading bot:
["read", "trade"]permission
Rotate keys regularly
Rotate keys regularly
Create a new key, update your bot, then revoke the old key:
Maximum 5 keys per user
Maximum 5 keys per user
The system enforces a limit of 5 active keys per user account.
Revoke unused keys to free up slots.
Error Responses
| Status Code | Meaning |
|---|---|
401 Unauthorized | Invalid, expired, or deactivated API key |
403 Forbidden | Key lacks required permission for the endpoint |