On this page
Authentication
Every Artery request — REST and WebSocket — is authenticated by a Bearer
token issued via POST /keys. Tokens are scoped; usage quota comes from
the token's organization subscription plan.
Token format
art_live_<uuid>.<32-byte-base64url-secret>
The token is hashed with scrypt-64 server-side. Artery never stores
the plaintext — losing it requires creating a new key.
Scopes
| Scope | Allows |
|---|---|
read | All GET data endpoints (markets, orderbook, prices, positions) |
trade | POST / DELETE order endpoints (planned) |
stream | WebSocket subscriptions on /v1/stream |
admin | Manage keys and other resources within the caller's organization |
Decorate your token's scopes when creating:
bashcurl -X POST https://api.artery.questflow.ai/keys \
-H "Authorization: Bearer art_live_<your-admin-key>" \
-H "Content-Type: application/json" \
-d '{"name":"trader-bot","userId":"u-1","scopes":["read","trade","stream"]}'Rate limits
Quota is per organization and SKU, not per key or IP. The organization's
free, pro, or enterprise subscription plan supplies per-minute and
per-day limits for each kind of usage. Creating or rotating a key does not
change those limits or create a new quota pool.
The legacy rateLimitTier key-creation field is deprecated and ignored for
quota selection; omit it from new integrations.
Metered responses carry X-Quota-Sku, X-Quota-Limit,
X-Quota-Remaining, and X-Quota-Reset. An exhausted window returns 429
with error.code: quota_exceeded. See Rate limits
for the full reference.
Provider credentials (passthrough model)
Artery does not store your Polymarket / Hyperliquid / Kalshi credentials by default. For trade endpoints, your client passes per-request credential headers:
| Provider | Header(s) |
|---|---|
| Polymarket | X-Polymarket-Credentials (encrypted blob; planned) |
| Hyperliquid | X-HL-Agent-Key (planned) |
| Kalshi | X-Kalshi-Key-Id + uploaded RSA key (planned) |
Artery only ever sees credentials with the scope you grant. Withdrawals remain on the upstream platform — Artery cannot move funds off-platform.
Revocation
bashcurl -X DELETE "https://api.artery.questflow.ai/keys/<id>"Revoked tokens are rejected immediately on the next request.
Unauthenticated routes
A small set of endpoints are intentionally public — they need no Authorization
header:
| Path | Purpose |
|---|---|
GET /health | Service liveness — returns { status, service, version, uptimeSeconds, timestamp } |
GET /providers | Capability catalog — used by clients for feature detection |
Every other route — including key creation/revocation, /v1/... data endpoints,
and /v1/stream WebSocket — requires a Bearer token or authenticated portal session.