Skip to main content

Authentication

TradeWatch uses your account's API keys to authenticate API requests, and if you don't include a key or if the key is incorrect or outdated, an invalid request or authentication error will be raised.

The Developers Dashboard can be used to create, reveal, and revoke secret API keys.

warning

It's important to safeguard your keys.

Your secret API key has the ability to perform any API call for your account. Here are some best practices to follow to ensure your keys are secure:

  • Only give access to those who require it.
  • Keep the key out of any version control system you may use.
  • Use a password manager or secrets management service to control key access.
  • Avoid embedding the secret API key in mobile applications or other locations where it can be accessed.

Create a new API secret key

To create a new API secret key in the Dashboard:

  1. Open the API keys page.
  2. Click Create API Key.
  3. Enter a name in Key name (or choose the one proposed by system).
  4. Click Create.

Reveal an API secret key

To ensure security, the API secret key is displated once. It's important to store the key in a safe location to avoid losing it. If the key is lost, it can be revoked and a new key can be generated.

Revoke an API secret key

If your secret key has been compromised, the key should be revoked to prevent any unauthorized API requests. To generate a new key and revoke the old API secret key:

  1. Open the API keys page.
  2. Click the trash icon next to the secret key.
  3. Enter the API key name in the text input field
  4. Click Remove The Key

Using your API key

When making API requests to TradeWatch, you can provide your API key in one of two ways:

API key as a header

Include the API key in the request header:

GET /api/v1/endpoint HTTP/1.1
Host: api.tradewatch.io
api-key: your_api_key_here

API key as a query parameter

Alternatively, you can include the API key as a query parameter:

GET /api/v1/endpoint?api-key=your_api_key_here HTTP/1.1
Host: api.tradewatch.io

Either method is acceptable, but using the header approach is recommended for security reasons, especially for POST requests, as query parameters may be logged in server access logs.