Authentication
API Keys
The REST API uses per-user API keys for authentication. Each key is tied to your account — any deals created via the API belong to you.
Creating an API Key
- Navigate to API in the sidebar
- Click Create API Key
- Enter a descriptive name (e.g., "Trading Script", "Postman")
- Click Create
- Copy the key immediately — it will only be shown once
API keys use the format sa_ followed by 64 hexadecimal characters:
sa_a1b2c3d4e5f6...
Using Your API Key
Include the key in the x-api-key header on every request:
curl -H "x-api-key: sa_your_api_key_here" \
https://kc9zu8cyjf.execute-api.us-east-1.amazonaws.com/v1/deals
Managing Keys
On the API page you can:
- View all your keys (only the prefix is shown, never the full key)
- See usage — each key shows when it was created and last used
- Revoke a key — permanently deactivates it; any scripts using it will stop working
Security
- API keys are hashed with SHA-256 before storage — the plaintext key is never stored
- Only the key prefix (first 11 characters) is shown in the UI for identification
- Keys can be revoked instantly and cannot be re-enabled
- Each key is scoped to your user account only
- The
lastUsedAttimestamp is updated on each successful authentication
Best Practices
- Create separate keys for each script or integration
- Use descriptive names so you know what each key is for
- Revoke keys you no longer need
- Never commit API keys to source control
- Rotate keys periodically