Prefer a UI? Visit auth.forka.st to connect your wallet, generate credentials, list existing keys, or revoke them without crafting requests manually.
L1 authentication (wallet signature)
Creating or revoking API keys requires an EIP-712 signature produced by the Polygon wallet that owns the account.Headers
| Header | Description |
|---|---|
FORKAST_ADDRESS | Polygon address that owns the account. |
FORKAST_SIGNATURE | EIP-712 signature over the auth payload. |
FORKAST_TIMESTAMP | Unix timestamp (seconds) at signing time. |
FORKAST_NONCE | Monotonic nonce bound to the signature. |
Typed data schema
L2 authentication (API credentials)
Once an API key is issued, subsequent private requests authenticate with L2 headers derived from thesecret and passphrase.
Headers
| Header | Description |
|---|---|
FORKAST_ADDRESS | Polygon address that originally generated the key. |
FORKAST_SIGNATURE | HMAC signature built from the API secret. |
FORKAST_TIMESTAMP | Unix timestamp (seconds) for replay protection. |
FORKAST_API_KEY | UUID v4 identifier returned by POST /auth/api-key. |
FORKAST_PASSPHRASE | 64-character hex passphrase used to unwrap the secret client-side and included in every request. |
Storage guarantees
- The API secret and passphrase are never persisted by Forkast. They are generated deterministically from the wallet signature and returned once.
- Because the passphrase travels with each request, use it to decrypt any local storage of the secret and treat both values as sensitive.
- Revoking an API key invalidates the key/secret/passphrase trio immediately; list endpoints will omit revoked keys.
Which header to use?
| Action | Required header |
|---|---|
POST /auth/api-key | L1 |
DELETE /auth/api-key | L2 |
GET /auth/api-keys | L2 |
| Order placement / cancellation | L2 |
| Public market data endpoints | None |