AArtery
On this page

Authentication

Every Artery request — REST and WebSocket — is authenticated by a Bearer token issued via POST /keys. Tokens are scoped; usage quota comes from the token's organization subscription plan.

Token format

art_live_<uuid>.<32-byte-base64url-secret>

The token is hashed with scrypt-64 server-side. Artery never stores the plaintext — losing it requires creating a new key.

Scopes

ScopeAllows
readAll GET data endpoints (markets, orderbook, prices, positions)
tradePOST / DELETE order endpoints (planned)
streamWebSocket subscriptions on /v1/stream
adminManage keys and other resources within the caller's organization

Decorate your token's scopes when creating:

bashcurl -X POST https://api.artery.questflow.ai/keys \
  -H "Authorization: Bearer art_live_<your-admin-key>" \
  -H "Content-Type: application/json" \
  -d '{"name":"trader-bot","userId":"u-1","scopes":["read","trade","stream"]}'

Rate limits

Quota is per organization and SKU, not per key or IP. The organization's free, pro, or enterprise subscription plan supplies per-minute and per-day limits for each kind of usage. Creating or rotating a key does not change those limits or create a new quota pool.

The legacy rateLimitTier key-creation field is deprecated and ignored for quota selection; omit it from new integrations.

Metered responses carry X-Quota-Sku, X-Quota-Limit, X-Quota-Remaining, and X-Quota-Reset. An exhausted window returns 429 with error.code: quota_exceeded. See Rate limits for the full reference.

Provider credentials (passthrough model)

Artery does not store your Polymarket / Hyperliquid / Kalshi credentials by default. For trade endpoints, your client passes per-request credential headers:

ProviderHeader(s)
PolymarketX-Polymarket-Credentials (encrypted blob; planned)
HyperliquidX-HL-Agent-Key (planned)
KalshiX-Kalshi-Key-Id + uploaded RSA key (planned)
Warning

Artery only ever sees credentials with the scope you grant. Withdrawals remain on the upstream platform — Artery cannot move funds off-platform.

Revocation

bashcurl -X DELETE "https://api.artery.questflow.ai/keys/<id>"

Revoked tokens are rejected immediately on the next request.

Unauthenticated routes

A small set of endpoints are intentionally public — they need no Authorization header:

PathPurpose
GET /healthService liveness — returns { status, service, version, uptimeSeconds, timestamp }
GET /providersCapability catalog — used by clients for feature detection

Every other route — including key creation/revocation, /v1/... data endpoints, and /v1/stream WebSocket — requires a Bearer token or authenticated portal session.

Edit this page on GitHubLast updated
Authentication · Artery API Docs