On this page

Authentication

Every Artery request — REST and WebSocket — is authenticated by a Bearer token issued via POST /keys. Tokens are scoped and tier-rate-limited.

Token format

art_live_<uuid>.<32-byte-base64url-secret>

The token is hashed with scrypt-64 server-side. Artery never stores the plaintext — losing it requires creating a new key.

Scopes

Scope	Allows
`read`	All `GET` data endpoints (markets, orderbook, prices, positions)
`trade`	`POST` / `DELETE` order endpoints (planned)
`stream`	WebSocket subscriptions on `/v1/stream`
`admin`	Bypass all scope checks (internal tooling)

Decorate your token's scopes when creating:

bashcurl -X POST https://api.artery.questflow.ai/keys \
  -d '{"name":"trader-bot","userId":"u-1","scopes":["read","trade","stream"]}'

Rate limits

Rate limits are per API key, not per IP. Pick a tier when creating the key (default: free):

Tier	Calls / month	Concurrent WS
`free`	10,000	1
`builder`	500,000	5
`pro`	5,000,000	50
`enterprise`	unlimited	unlimited

bashcurl -X POST https://api.artery.questflow.ai/keys \
  -H "Content-Type: application/json" \
  -d '{
    "name":"trader-bot",
    "userId":"u-1",
    "scopes":["read","trade","stream"],
    "rateLimitTier":"builder"
  }'

Every authenticated response carries X-RateLimit-Limit / X-RateLimit-Remaining / X-RateLimit-Reset / X-RateLimit-Tier. A throttled key gets 429 plus Retry-After. See Rate limits for the full reference.

Provider credentials (passthrough model)

Artery does not store your Polymarket / Hyperliquid / Kalshi credentials by default. For trade endpoints, your client passes per-request credential headers:

Provider	Header(s)
Polymarket	`X-Polymarket-Credentials` (encrypted blob; planned)
Hyperliquid	`X-HL-Agent-Key` (planned)
Kalshi	`X-Kalshi-Key-Id` + uploaded RSA key (planned)

Warning

Artery only ever sees credentials with the scope you grant. Withdrawals remain on the upstream platform — Artery cannot move funds off-platform.

Revocation

bashcurl -X DELETE "https://api.artery.questflow.ai/keys/<id>"

Revoked tokens are rejected immediately on the next request.

Unauthenticated routes

A small set of endpoints are intentionally public — they need no Authorization header:

Path	Purpose
`GET /health`	Service liveness — returns `{ status, service, version, uptimeSeconds, timestamp }`
`GET /providers`	Capability catalog — used by clients for feature detection
`POST /keys`	Mint a new key (rate-limited per IP — internal tooling only in production)
`DELETE /keys/{id}`	Revoke a key

Every other route — /v1/... data endpoints and /v1/stream WebSocket — requires a Bearer token.

Edit this page on GitHubLast updated 2 days ago

Authentication#

Token format#

Scopes#

Rate limits#

Provider credentials (passthrough model)#

Revocation#

Unauthenticated routes#