Authentication summary
| Property | Value |
|---|---|
| Family | Public REST |
| Visibility | Public |
| Read-path access | Public market and stats endpoints do not require private request signatures |
| Write-path access | Private trading requests use the manually documented request-submission endpoints GET /v2/encryption-key and POST /v2/request, plus EIP-712 signing and encryption |
| Base-path rule | The adjacent request-submission endpoints are deployment-relative paths under the target base URL where they are used; they are not part of the generated public Swagger bundle |
| Replay-window fields | Signed client intents carry client_timestamp_ms and recv_window_ms; partial replay-window payloads are not accepted |
| Delegated-session support | 1CT session-key-signed intents can carry an optional delegated-session payload in session_key_signature |
| Current replay caps | recv_window_ms must stay at or below 60000, and timestamps too far ahead of server time are rejected once they cross the +1000ms future limit |
Integration meaning
- Use the public REST family for request-response data and initial snapshot lookup.
- For private trading actions, combine request signing, replay-window fields, and request encryption before submission.
- If you use delegated sessions, validate the session payload path the same way you validate the wallet-signature path because failed session authorization returns
401 SessionUnauthorized. - Use Realtime Authentication when you need the current WebSocket identity model and filtered user-data subscriptions.
- Use Operator & Restricted APIs when the surface is explicitly operator-oriented or compliance-oriented.
Base URL and path interpretation
The current Mintlify OpenAPI render input does not declare a canonicalservers[] array. Treat generated public REST paths as deployment-relative, and apply the same deployment-relative rule to the adjacent manually documented request-submission endpoints where you use them. Choose the base URL from the target environment you are integrating against rather than assuming every deployment uses the same public host.
Signed private-request fields
| Field family | Why it matters |
|---|---|
| EIP-712 intent fields | Define the trade, cancel, modify, or withdrawal request being authorized |
nonce | Prevents replay and orders otherwise identical requests deterministically |
client_timestamp_ms + recv_window_ms | Bind the signed payload to a live replay window enforced by the gateway |
session_key_signature | Carries delegated-session authorization for supported session-key request flows |
signature | Proves control of the trader wallet or delegated session authority |
Source artifacts
packages/exchange-api/public/swagger.jsonpackages/stats/public/swagger.jsonpackages/api-docs/merged/unified-swagger.json