{BASE_URL}.
Authentication tiers
Public
No credentials. All market-data reads and public streams.
Session
A SIWE sign-in yields an httpOnly session cookie (7-day validity). Required
for placing orders and viewing your account, wallet, and keys.
API key
An
x-api-key header for programmatic access. Scoped read or trade.
Accepted on high-throughput trading paths (previews, bulk quotes, cancel-all,
algo streams).API keys are created and revoked only from a signed-in session — a key cannot
mint or revoke another key.
Sign in with your wallet
Request a nonce
Ask the gateway for a one-time, short-lived nonce to include in your signed
message.The nonce is single-use. Request a fresh one on each sign-in.
Build and sign a SIWE message
Construct a standard EIP-4361 message in your wallet. It must include the
nonce from step 1, the correct chainId and request uri/domain for
OCX, and an expirationTime within the allowed window. Sign it with your
wallet (for example personal_sign or wagmi’s signMessage).Verify and open a session
Submit the exact message string and its signature. On success the response
sets the session cookie and returns your identity.
New accounts may require an invite before trading is enabled. If invite gating
is active, redeem a code once while authenticated:
POST {BASE_URL}/auth/redeem-invite with { "code": "…" }.End-to-end example
Provision an API key for automation
For bots, market makers, and agents, sign in once with SIWE, then mint an API key scoped to what the client needs.Scopes and access
| Capability | Public | Session | API key |
|---|---|---|---|
| Market-data reads and public streams | ✓ | ✓ | ✓ |
| Order preview, bulk quotes, cancel-all, algo streams | ✓ | ✓ (trade) | |
| Place/cancel single orders, view your account & positions | ✓ | ||
| Create / revoke API keys | ✓ |
Rate limits
Requests are rate-limited per client. Authenticated and API-key traffic receives higher limits than anonymous traffic. Every response carries standardX-RateLimit-* headers.