API reference
API keys
Keys are managed by authenticated app users — the easiest path is the web app (Settings → Developer), which drives exactly these endpoints. They live under /v1/developer/keys and authenticate with your app session (Bearer access token), not with an API key — a key cannot mint or revoke keys.
- Keys inherit your identity: the key’s user is the identifier for every gating rule, exactly as if you were in the app.
- Scopes:
read(authenticated reads + WS) ortrade(reads + order placement/cancel). See Getting started. - Secrets are stored hashed (SHA-256); after creation only the
prefixidentifies a key.
Create a key
POST
/v1/developer/keysapp session| Body field | Type | Description | |
|---|---|---|---|
name | string | required | Human label, e.g. "trading-bot". |
scope | string | required | "read" or "trade". |
curl
curl -X POST "http://localhost:8080/v1/developer/keys" \
-H "Authorization: Bearer $APP_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{ "name": "trading-bot", "scope": "trade" }'201 response
{
"key": {
"id": "9c2e5a10-7f4b-4f9e-a2d1-0b1e8c3d4f55",
"name": "trading-bot",
"scope": "trade",
"prefix": "tk_live_9c2e",
"secret": "tk_live_9c2e5a107f4b4f9ea2d10b1e8c3d4f55…", // shown ONCE
"created_at": "2026-07-16T08:00:00Z"
}
}Secret shown once
secret appears only in this response — it is never retrievable again. Store it in a secret manager immediately.List keys
GET
/v1/developer/keysapp sessionReturns metadata and prefixes — never secrets.
curl
curl "http://localhost:8080/v1/developer/keys" \
-H "Authorization: Bearer $APP_ACCESS_TOKEN"200 response
{
"keys": [
{
"id": "9c2e5a10-7f4b-4f9e-a2d1-0b1e8c3d4f55",
"name": "trading-bot",
"scope": "trade",
"prefix": "tk_live_9c2e",
"created_at": "2026-07-16T08:00:00Z"
},
{
"id": "1b8d3c22-05aa-4e01-9c77-d2f4a6b8e901",
"name": "dashboard-reader",
"scope": "read",
"prefix": "tk_live_1b8d",
"created_at": "2026-07-01T12:30:00Z"
}
]
}Revoke a key
DELETE
/v1/developer/keys/{id}app sessionRevocation is immediate: in-flight and subsequent requests with the key fail with 401. Revoke and re-mint on any suspicion of exposure.
curl
curl -X DELETE "http://localhost:8080/v1/developer/keys/9c2e5a10-7f4b-4f9e-a2d1-0b1e8c3d4f55" \
-H "Authorization: Bearer $APP_ACCESS_TOKEN"