Thassa.

API reference

API keys

Keys are managed by authenticated app users — the easiest path is the web app (Settings → Developer), which drives exactly these endpoints. They live under /v1/developer/keys and authenticate with your app session (Bearer access token), not with an API key — a key cannot mint or revoke keys.

  • Keys inherit your identity: the key’s user is the identifier for every gating rule, exactly as if you were in the app.
  • Scopes: read (authenticated reads + WS) or trade (reads + order placement/cancel). See Getting started.
  • Secrets are stored hashed (SHA-256); after creation only the prefix identifies a key.

Create a key

POST/v1/developer/keysapp session
Body fieldTypeDescription
namestringrequiredHuman label, e.g. "trading-bot".
scopestringrequired"read" or "trade".
curl
curl -X POST "http://localhost:8080/v1/developer/keys" \
  -H "Authorization: Bearer $APP_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "name": "trading-bot", "scope": "trade" }'
201 response
{
  "key": {
    "id": "9c2e5a10-7f4b-4f9e-a2d1-0b1e8c3d4f55",
    "name": "trading-bot",
    "scope": "trade",
    "prefix": "tk_live_9c2e",
    "secret": "tk_live_9c2e5a107f4b4f9ea2d10b1e8c3d4f55…",  // shown ONCE
    "created_at": "2026-07-16T08:00:00Z"
  }
}

Secret shown once

secret appears only in this response — it is never retrievable again. Store it in a secret manager immediately.

List keys

GET/v1/developer/keysapp session

Returns metadata and prefixes — never secrets.

curl
curl "http://localhost:8080/v1/developer/keys" \
  -H "Authorization: Bearer $APP_ACCESS_TOKEN"
200 response
{
  "keys": [
    {
      "id": "9c2e5a10-7f4b-4f9e-a2d1-0b1e8c3d4f55",
      "name": "trading-bot",
      "scope": "trade",
      "prefix": "tk_live_9c2e",
      "created_at": "2026-07-16T08:00:00Z"
    },
    {
      "id": "1b8d3c22-05aa-4e01-9c77-d2f4a6b8e901",
      "name": "dashboard-reader",
      "scope": "read",
      "prefix": "tk_live_1b8d",
      "created_at": "2026-07-01T12:30:00Z"
    }
  ]
}

Revoke a key

DELETE/v1/developer/keys/{id}app session

Revocation is immediate: in-flight and subsequent requests with the key fail with 401. Revoke and re-mint on any suspicion of exposure.

curl
curl -X DELETE "http://localhost:8080/v1/developer/keys/9c2e5a10-7f4b-4f9e-a2d1-0b1e8c3d4f55" \
  -H "Authorization: Bearer $APP_ACCESS_TOKEN"